Solved: frozenTimePeriodInSecs - when does this count star...

mookiie2005 · ‎07-11-2013

for the frozenTimePeriodInSecs attribute from indexes.conf, when does this count start? As soon as the data is indexed or does it count from once it went to cold or frozen status? (I already know that a DB bucket will not role to frozen until all the data in the bucket is older than the specified time.)

jtrucks · ‎07-11-2013

As http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy indicates, "When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled."

Therefore, it is based on the time the event is indexed. This simplies all time parameters used in Splunk, as well.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎07-11-2013

As http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy indicates, "When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled."

Therefore, it is based on the time the event is indexed. This simplies all time parameters used in Splunk, as well.

--
Jesse Trucks
Minister of Magic

the_wolverine · ‎07-11-2013

Correct except for aging is based on the event time, not indexed time.

mookiie2005 · ‎07-11-2013

Thank you for the clarification.

frozenTimePeriodInSecs - when does this count start?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?