Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Buckets in hot_quar- Is there a way to clean those folders and set the frozenTimePeriodInSecs?

jariw
Path Finder
‎03-14-2023 03:13 AM

Hi,

I was looking for the retention period for my index main and _internal and noticed the data is outide our default frozenTimePeriodInSecs. Standard this is 555 days.

I went searching for the buckets which are outside the normal time with the searches from this answer:

https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/1163...

and to my surprise.. the buckets are al hot.. and way old.  What bothers me are those buckets are all in folder called hot_quar_v1_xxxx and the normal folders starting with previous xxxxx from the quar folder.

What to do with this data? I want to reduce the frozenTimePeriodInSecs from 555 days to say 30 days.. but it doesn't seems to work this way if there are buckets as old as 100961834 secs in those hot_quar folders.

Is there a way to clean those folders and set the frozenTimePeriodInSecs?

 

thanx in advance

Jari

Labels (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...