A maxDataSize of 20 seems far too small, Splunk defaults to 750MB.
From my own notes on this:
"When an index hits the size limit it will roll buckets to frozen based on the oldest bucket, even though this bucket may contain both old and new data"
In other words, the oldest date of the bucket is the one chosen to roll to cold, perhaps the bucket that has the "newest" data also has the oldest data?
This same answer might relate to your frozen data question as well, the buckets will roll to frozen based on the oldest datestamp when the size limits are hit.
Without the size limits the bucket would roll to frozen when the newest date is past the frozen time period...
... View more
To add to teunlaan's answer - if all events in your bucket are older than 1800 seconds it will freeze. You can check buckets using this search:
|eval span=replace(replace(replace(replace(tostring(ceiling(endEpoch-startEpoch), "duration"),"(?:(\d+)\+?)(\d+)\:(\d+):(\d+)","\1d \2h \3m \4s"), "(?<!\d)0+[dhms]", ""), "^\s+$", "00s"), "0(?=\d[dhms])", "")
|convert ctime(startEpoch) as startDate, ctime(endEpoch) as endDate
|table splunk_server, index, state, startDate, endDate, span, sizeOnDiskMB
To answer your other question about maxHotSpanSecs not working, it's because you hit the maxDataSize first so the hot rolls to warm based on size. The first condition to hit (either time or size) wins.
... View more