I have finally reached a place where I know what I want to do and believe I know the right avenue to do so, yet I am still having trouble getting the pieces to work. I have changed the inputs.conf and the indexes.conf in the local directory ($Splunk\etc\system\local) so that there is a monitor on a few local directories and the frozenTimePeriodInSecs is 1 week.
My goal is to bring in files to the directories with a scheduled task once per week and then Freeze the data so the index is completely wiped every week minus an hour (essentially having only the newest data for 1 week periods and then removing it completely so new data takes its place). My issue is that when testing, the freeze works, but the monitoring seems to stop working after the first freeze. Is there a reason the monitored files are not being received? Also, does the Freeze require a splunkd restart each time or will it work as I hope?
Any and all feedback on the Freeze information and monitoring information would be a great help. Thanks!