Getting Data In

How do I verify that a configuration change for shortening the time to frozen has gone through?

wwhitener
Communicator

Good afternoon,

I am trying to verify a configuration change. I've shortened the indexes.conf to make the frozenTimePeriodInSecs shorter than the default--about a week. How do I verify that the change has gone through? I've tried looking at some static log files I had indexed to test and those don't appear to have changed. I've tried indexing and looking at splunk log files (test system--nothing really is going in it) and those seem to show that the data has been pruned and cleared out. If someone knows how to veirfy and prove that this change has worked, could I please get a clue from you on how to go about it?

Thank you.

Edited to add: Our test server is 3.4.5.

0 Karma
1 Solution

wwhitener
Communicator

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

View solution in original post

0 Karma

wwhitener
Communicator

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

0 Karma

MarioM
Motivator

You should see INFO entries about BucketMover in splunkd.log:

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" component="BucketMover"

Some message similar to this:

09-20-2011 08:01:08.990 +0200 INFO  BucketMover - AsyncFreezer freeze succeeded for /opt/splunk/var/lib/splunk/defaultdb/colddb/db_1308473665_1308226506_25
0 Karma

wwhitener
Communicator

I don't know if this is a matter of version or not--we're on 3.4.5--but when I try to query on the BucketMover component, I get zero results returned.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...