Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Change Splunk frozenTimePeriodInSecs for any of the indexes

CHAUHAN812
Explorer
‎12-19-2024 03:02 AM

I want to increase one of my index frozen Time Period from 12 months to 13 months. I have increased the Max Size of Entire Index from the Splunk indexer > Settings. But I know this is not enough as my index frozen Time Period is set on 12 months period.

So where should I update this value ?

Should I need to update 'Indexes.conf' file for required indexes to the indexer server itself which is installed on Linux machine.

What things I need to take care while updating this frozen Time Period.

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

luizlimapg
Path Finder
‎12-19-2024 05:17 AM

Hi @CHAUHAN812,

In that case, in the indexes.conf file, you just need to adjust the frozenTimePeriodInSecs parameter in the 2 index stanzas.

[index01]
frozenTimePeriodInSecs = 34187400

[index02]
frozenTimePeriodInSecs = 34187400

Restart Splunk after that

View solution in original post

Reply
Solved! Jump to solution

CHAUHAN812
Explorer
‎12-27-2024 07:40 AM

Thank you for your quick responses. I have increased the frozen time period from my indexer machine. And I am able to increase it according to my requirement.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-19-2024 03:55 AM

If you have individual indexers then it is correct place. After change do reload for it. If you have indexer cluster then you must do this change on CM. Edit correct indexes.conf file somewhere under master-apps or manager-apps. After that apply cluster-bundle, when it has distributed into search peers.

Reply
Solved! Jump to solution

CHAUHAN812
Explorer
‎12-19-2024 04:35 AM

Yes , I have an individual indexer which is installed on Linux machine. And I need to increase the frozenTimePeriodInSecs only for 2 of the indexes.

So to increase the Frozen Time Period from 12 months to 13 months then I just need to update the frozenTimePeriodInSecs values to the indexes.conf file from the indexer server right ?

  

0 Karma
Reply
Solved! Jump to solution
Solution

luizlimapg
Path Finder
‎12-19-2024 05:17 AM

Hi @CHAUHAN812,

In that case, in the indexes.conf file, you just need to adjust the frozenTimePeriodInSecs parameter in the 2 index stanzas.

[index01]
frozenTimePeriodInSecs = 34187400

[index02]
frozenTimePeriodInSecs = 34187400

Restart Splunk after that

Reply
Solved! Jump to solution

CHAUHAN812
Explorer
‎12-19-2024 05:33 AM

Thanks,

So this should be done in the indexer server right ?

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-19-2024 10:02 AM
Here is link to docs https://docs.splunk.com/Documentation/Splunk/9.4.0/Indexer/Setupmultipleindexes
Remember if you are editing conf files then you must do restart or in some cases reload is enough. If you want to avoid that, then you should use GUI or CLI commands to modify those values.
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2024 11:48 AM

Or REST.

0 Karma
Reply
Solved! Jump to solution

luizlimapg
Path Finder
‎12-19-2024 09:19 AM

Right! If you have only one indexer

Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...