Splunk Search

Why are Splunk searches returning events outside the frozenTimePeriodInSecs setting?

Communicator

Hi there!

I'm trying to set up the buckets in one Splunk deployment. I want to delete events greater than 1 week and for that I write the next parameters for some indexes inside the local/indexes.conf

frozenTimePeriodInSecs = 604800
rotatePeriodInSecs = 60
maxHotBuckets = 1
maxHotSpanSecs = 3600
maxHotIdleSecs = 60
maxWarmDBCount = 1

I check the splunkd.log and the BucketMover works without errors... but when I'm checking the events inside the indexes with the next search...

index=someindex | chart count over date_mday by date_month

... Splunk shows me events from days outside the frozenTimePeriodInSecs that I set. Sometimes 3 days more, other times even 6 or more...

Any clues?

Deployment:
OS: Ubuntu server 14.04LTS 64bits
Splunk: Enterprise 6.3.2

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Remember that setting is applied to a bucket as a whole not individual events. So in order for Splunk to freeze a bucket all events in a bucket must be past the frozentimeperiodinsecs

View solution in original post

Splunk Employee
Splunk Employee

Remember that setting is applied to a bucket as a whole not individual events. So in order for Splunk to freeze a bucket all events in a bucket must be past the frozentimeperiodinsecs

View solution in original post

Communicator

Also, the Hot bucket don't count for this purpose and for that, I will have frozentimeperiodinsecs + hotbucket events in the indexes... is right?

Thanks @dgrubb_splunk

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!