Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk archiving setting not working properly

sudhir7
Explorer
‎01-21-2018 09:31 PM

I am testing the frozenTimePeriodInSecs setting, I have following default stanza in my indexes.conf file.

[default]
frozenTimePeriodInSecs = 31556736

Still all the indexes are showing data that is older than 7 years.
I was expecting data older than a year to be deleted as I don't have any archive directory setup.
There are two things that could be possible - either the default setting is not being applied to all the indexes or the frozenTimePeriodInSecs setting is not working as expected for me.

Has anyone else faced a similar situation ? Are there any configurational settings I am missing ?

0 Karma
Reply

mayurr98
Super Champion
‎01-21-2018 10:29 PM

hey, I think you have configured indexes.conf in default?

default is the name of the index?

can you tell where you have configured this setting?

This is found in indexes.conf and is set on a per-index level.

The parameter is called FrozenTimePeriodInSecs and is expressed in seconds. If it does not exist, then the default value of 31556736 is used, which is approximately 6 years.

Read more in the docs,

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Configureindexstorage

you have to configure this in local/indexes.conf

If default is not the name of the index then the syntax should be

[<your_index_name>]
frozenTimePeriodInSecs = 31556736

let me know if this helps!

0 Karma
Reply

sudhir7
Explorer
‎01-21-2018 11:02 PM

Hi Mayur,
Thanks for your reply.
I tried adding the line for individual indexes to archive data by adding coldToFrozenDir settings in local/indexes.conf. We have 10TB of data to be archive but the rate of archiving was very very slow around 1GB/day.
Have you tried this in the past ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...