Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to set frozenTimePeriodInSecs under a different App?

henrysoon80
New Member
‎12-09-2020 01:17 AM

Hi All Splunker,

May I know how to set frozenTimePeriodInSecs under a different App?

Example Compliance App retention period is 180 days for all index name, Audit App retention is 90 days for all index name, due to every time need create a lot of index name under those App, for convenient and fulfill the compliance retention needed, can we set frozenTimePeriodInSecs under App-level instead of System-level or one by one index name (avoid human mistake also)?

I got try it under $SPLUNK_HOME/etc/app/compliance/local and $SPLUNK_HOME/etc/app/audit/local under each app configure indexes.conf by input [default] stanza and set the frozenTimePeriodInSecs field for 180 days and 90 days and disabled global setting under System/local/indexes.conf. However, seem like it was failed due to precedence order issue.

1. System local directory -- highest priority
2. App local directories
3. App default directories
4. System default directory -- lowest priority

If the same level of App local directories the default always gets the smaller value which is 90 days.

So any expert over here can provide some advice?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-09-2020 06:10 AM

Retention is per-index, not per-app.  You can set the retention for an index in any app, but if the same index (or all indexes) is set in more than one app then the rules of precedence apply. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...