Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bucket Mover

gudavasr
Path Finder
‎07-18-2013 10:37 AM

Hi,

I upgraded splunk version from 4.3.1 to 5.0.3 and I noticed indexes are moved to frozen state.

And after Upgrade, the log shows this:
frozenTimePeriodInSecs not specified in config for index main. Defaulting to: 432000 seconds

I searched for 432000 in all my conf files but I can't find.

Now, the logs show this:

BucketMover - will attempt to freeze: /dev1_index/db/db_1373564795_1373510323_84 because frozenTimePeriodInSecs=432000 exceeds difference between now=1373996815 and latest=1373564795

I searched for 432000 but could not find anywhere. here is my frozentime configured in all indexes:

frozenTimePeriodInSecs = 188697600
frozenTimePeriodInSecs = 604800
frozenTimePeriodInSecs = 2419200
frozenTimePeriodInSecs = 2419200
frozenTimePeriodInSecs = 0
frozenTimePeriodInSecs = 2419200
frozenTimePeriodInSecs = 2419200
frozenTimePeriodInSecs = 7776000
frozenTimePeriodInSecs = 188697600
frozenTimePeriodInSecs = 604800
frozenTimePeriodInSecs = 2419200
frozenTimePeriodInSecs = 2419200
frozenTimePeriodInSecs = 0

Did anyone experience this? can someone help?

Thank You

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-18-2013 12:48 PM

The default will not appear in any configuration file. Splunk is telling you that this is the value it will use if no frozenTimePeriodInSecs is specified for an index - and that the main index does not have a frozenTimePeriodInSecs specification. You should be able to set this value for the main index by editing $SPLUNK_HOME/etc/system/local/indexes.conf and adding

[main]
frozenTimePeriodInSecs = 188697600

or whatever value you prefer.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-18-2013 12:48 PM

The default will not appear in any configuration file. Splunk is telling you that this is the value it will use if no frozenTimePeriodInSecs is specified for an index - and that the main index does not have a frozenTimePeriodInSecs specification. You should be able to set this value for the main index by editing $SPLUNK_HOME/etc/system/local/indexes.conf and adding

[main]
frozenTimePeriodInSecs = 188697600

or whatever value you prefer.

Reply
Solved! Jump to solution

gudavasr
Path Finder
‎07-18-2013 01:24 PM

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...