May I know how to set frozenTimePeriodInSecs under a different App?
Example Compliance App retention period is 180 days for all index name, Audit App retention is 90 days for all index name, due to every time need create a lot of index name under those App, for convenient and fulfill the compliance retention needed, can we set frozenTimePeriodInSecs under App-level instead of System-level or one by one index name (avoid human mistake also)?
I got try it under $SPLUNK_HOME/etc/app/compliance/local and $SPLUNK_HOME/etc/app/audit/local under each app configure indexes.conf by input [default] stanza and set the frozenTimePeriodInSecs field for 180 days and 90 days and disabled global setting under System/local/indexes.conf. However, seem like it was failed due to precedence order issue.
1. System local directory -- highest priority 2. App local directories 3. App default directories 4. System default directory -- lowest priority
If the same level of App local directories the default always gets the smaller value which is 90 days.