How to set frozenTimePeriodInSecs under a differen...

henrysoon80 · ‎12-09-2020

Hi All Splunker,

May I know how to set frozenTimePeriodInSecs under a different App?

Example Compliance App retention period is 180 days for all index name, Audit App retention is 90 days for all index name, due to every time need create a lot of index name under those App, for convenient and fulfill the compliance retention needed, can we set frozenTimePeriodInSecs under App-level instead of System-level or one by one index name (avoid human mistake also)?

I got try it under $SPLUNK_HOME/etc/app/compliance/local and $SPLUNK_HOME/etc/app/audit/local under each app configure indexes.conf by input [default] stanza and set the frozenTimePeriodInSecs field for 180 days and 90 days and disabled global setting under System/local/indexes.conf. However, seem like it was failed due to precedence order issue.

1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority

If the same level of App local directories the default always gets the smaller value which is 90 days.

So any expert over here can provide some advice?

richgalloway · ‎12-09-2020

Retention is per-index, not per-app. You can set the retention for an index in any app, but if the same index (or all indexes) is set in more than one app then the rules of precedence apply.

---
If this reply helps you, Karma would be appreciated.

How to set frozenTimePeriodInSecs under a different App?

administration

configuration

development

using Splunk Enterprise

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!