Solved: frozenTimePeriodInSecs - when does this count star...

mookiie2005 · ‎07-11-2013

for the frozenTimePeriodInSecs attribute from indexes.conf, when does this count start? As soon as the data is indexed or does it count from once it went to cold or frozen status? (I already know that a DB bucket will not role to frozen until all the data in the bucket is older than the specified time.)

jtrucks · ‎07-11-2013

As http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy indicates, "When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled."

Therefore, it is based on the time the event is indexed. This simplies all time parameters used in Splunk, as well.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎07-11-2013

As http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy indicates, "When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled."

Therefore, it is based on the time the event is indexed. This simplies all time parameters used in Splunk, as well.

--
Jesse Trucks
Minister of Magic

the_wolverine · ‎07-11-2013

Correct except for aging is based on the event time, not indexed time.

mookiie2005 · ‎07-11-2013

Thank you for the clarification.

frozenTimePeriodInSecs - when does this count start?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!