Splunk Enterprise

How to set frozenTimePeriodInSecs under a different App?

henrysoon80
New Member

Hi All Splunker,

May I know how to set frozenTimePeriodInSecs under a different App?

Example Compliance App retention period is 180 days for all index name, Audit App retention is 90 days for all index name, due to every time need create a lot of index name under those App, for convenient and fulfill the compliance retention needed, can we set frozenTimePeriodInSecs under App-level instead of System-level or one by one index name (avoid human mistake also)?

I got try it under $SPLUNK_HOME/etc/app/compliance/local and $SPLUNK_HOME/etc/app/audit/local under each app configure indexes.conf by input [default] stanza and set the frozenTimePeriodInSecs field for 180 days and 90 days and disabled global setting under System/local/indexes.conf. However, seem like it was failed due to precedence order issue.

1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority

If the same level of App local directories the default always gets the smaller value which is 90 days.

So any expert over here can provide some advice?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Retention is per-index, not per-app.  You can set the retention for an index in any app, but if the same index (or all indexes) is set in more than one app then the rules of precedence apply. 

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!