Could you use the latest(x) function? This will return the chronologically latest seen occurrence of a value of a field X
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/CommonStatsFunctions
... View more
https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29
Here it lists all of the SSL options like serverCert = , sslKeysfile = , sslPassword = that would be potentially relevant for getting your certificates to work with the HTTP Event Collector
... View more
There is a thawed path for each index you have defined, so when you move the frozen bucket into the specific thawed path, it will be for that index
... View more