Having trouble with Indexes and Monitors working together

Hello Splunk Community,

I have finally reached a place where I know what I want to do and believe I know the right avenue to do so, yet I am still having trouble getting the pieces to work. I have changed the inputs.conf and the indexes.conf in the local directory ($Splunk\etc\system\local) so that there is a monitor on a few local directories and the frozenTimePeriodInSecs is 1 week.

My goal is to bring in files to the directories with a scheduled task once per week and then Freeze the data so the index is completely wiped every week minus an hour (essentially having only the newest data for 1 week periods and then removing it completely so new data takes its place). My issue is that when testing, the freeze works, but the monitoring seems to stop working after the first freeze. Is there a reason the monitored files are not being received? Also, does the Freeze require a splunkd restart each time or will it work as I hope?

Any and all feedback on the Freeze information and monitoring information would be a great help. Thanks!

Could the files you are monitoring be unchanged since the previous week? If so, Splunk won't want to re-index the same data. You can get around this by writing a script to "one-shot" the directories to Splunk each week. Take a look at:

The freeze should work fine. You don't need to restart Splunk for the freeze to take effect - Splunk takes care of this for you.

Lots of possible reasons for new files not being indexed - can you post the relevant inputs.conf monitors? The Frozen time on your index is separate from the monitor processes and does not affect it.

The most likely reason is that your new files appear to be identical to the old ones, but if you share your inputs we can get a better idea.

