Solved: How do I roll buckets to frozen by # of days?

jamesvz84 · ‎02-04-2015

I would like to keep data for an index around for no longer than 6 months. Is there a setting to do this or can I only roll based on size?

ppablo · ‎02-04-2015

Hi @jamesvz84

I think you're looking for the frozenTimePeriodInSecs configuration. Here's the relevant documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Setaretirementandarchivingpolicy#Set_attri...

View solution in original post

masonmorales · ‎02-04-2015

It's possible, but not from the GUI. You need to edit your indexes.conf (likely at either $SPLUNK_HOME/etc/system/local/indexes.conf -- or $SPLUNK_HOME/etc/apps/search/local/indexes.conf) and add the following to whichever index stanza you want to change:

frozenTimePeriodInSecs = 15778463

Then, restart the indexer for the change to take effect.

See also: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy#Set_att...

masonmorales · ‎02-04-2015

For more information, refer to: http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Indexesconf

ppablo · ‎02-04-2015

Hi @jamesvz84

I think you're looking for the frozenTimePeriodInSecs configuration. Here's the relevant documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Setaretirementandarchivingpolicy#Set_attri...

ppablo · ‎02-04-2015

Just adding extra info, the default configuration is frozenTimePeriodInSecs=188697600 which is 6 years before data gets rolled to frozen, but the link provided actually uses 180 days (or 15552000 seconds) in the example which is approximately 6 months.

How do I roll buckets to frozen by # of days?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases