Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I verify that a configuration change for shortening the time to frozen has gone through?

wwhitener
Communicator
‎09-19-2011 02:09 PM

Good afternoon,

I am trying to verify a configuration change. I've shortened the indexes.conf to make the frozenTimePeriodInSecs shorter than the default--about a week. How do I verify that the change has gone through? I've tried looking at some static log files I had indexed to test and those don't appear to have changed. I've tried indexing and looking at splunk log files (test system--nothing really is going in it) and those seem to show that the data has been pruned and cleared out. If someone knows how to veirfy and prove that this change has worked, could I please get a clue from you on how to go about it?

Thank you.

Edited to add: Our test server is 3.4.5.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wwhitener
Communicator
‎09-28-2011 07:44 AM

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wwhitener
Communicator
‎09-28-2011 07:44 AM

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎09-19-2011 11:17 PM

You should see INFO entries about BucketMover in splunkd.log:

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" component="BucketMover"

Some message similar to this:

09-20-2011 08:01:08.990 +0200 INFO  BucketMover - AsyncFreezer freeze succeeded for /opt/splunk/var/lib/splunk/defaultdb/colddb/db_1308473665_1308226506_25
0 Karma
Reply
Solved! Jump to solution

wwhitener
Communicator
‎09-20-2011 09:32 AM

I don't know if this is a matter of version or not--we're on 3.4.5--but when I try to query on the BucketMover component, I get zero results returned.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...