Solved: frozenTimePeriodInSecs - when does this count star...

mookiie2005 · ‎07-11-2013

for the frozenTimePeriodInSecs attribute from indexes.conf, when does this count start? As soon as the data is indexed or does it count from once it went to cold or frozen status? (I already know that a DB bucket will not role to frozen until all the data in the bucket is older than the specified time.)

jtrucks · ‎07-11-2013

As http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy indicates, "When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled."

Therefore, it is based on the time the event is indexed. This simplies all time parameters used in Splunk, as well.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎07-11-2013

As http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy indicates, "When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled."

Therefore, it is based on the time the event is indexed. This simplies all time parameters used in Splunk, as well.

--
Jesse Trucks
Minister of Magic

the_wolverine · ‎07-11-2013

Correct except for aging is based on the event time, not indexed time.

mookiie2005 · ‎07-11-2013

Thank you for the clarification.

frozenTimePeriodInSecs - when does this count start?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation