Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I verify that a configuration change for shortening the time to frozen has gone through?

wwhitener
Communicator
‎09-19-2011 02:09 PM

Good afternoon,

I am trying to verify a configuration change. I've shortened the indexes.conf to make the frozenTimePeriodInSecs shorter than the default--about a week. How do I verify that the change has gone through? I've tried looking at some static log files I had indexed to test and those don't appear to have changed. I've tried indexing and looking at splunk log files (test system--nothing really is going in it) and those seem to show that the data has been pruned and cleared out. If someone knows how to veirfy and prove that this change has worked, could I please get a clue from you on how to go about it?

Thank you.

Edited to add: Our test server is 3.4.5.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wwhitener
Communicator
‎09-28-2011 07:44 AM

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wwhitener
Communicator
‎09-28-2011 07:44 AM

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎09-19-2011 11:17 PM

You should see INFO entries about BucketMover in splunkd.log:

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" component="BucketMover"

Some message similar to this:

09-20-2011 08:01:08.990 +0200 INFO  BucketMover - AsyncFreezer freeze succeeded for /opt/splunk/var/lib/splunk/defaultdb/colddb/db_1308473665_1308226506_25
0 Karma
Reply
Solved! Jump to solution

wwhitener
Communicator
‎09-20-2011 09:32 AM

I don't know if this is a matter of version or not--we're on 3.4.5--but when I try to query on the BucketMover component, I get zero results returned.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...