Solved: How do I verify that a configuration change for sh...

wwhitener · ‎09-19-2011

Good afternoon,

I am trying to verify a configuration change. I've shortened the indexes.conf to make the frozenTimePeriodInSecs shorter than the default--about a week. How do I verify that the change has gone through? I've tried looking at some static log files I had indexed to test and those don't appear to have changed. I've tried indexing and looking at splunk log files (test system--nothing really is going in it) and those seem to show that the data has been pruned and cleared out. If someone knows how to veirfy and prove that this change has worked, could I please get a clue from you on how to go about it?

Thank you.

Edited to add: Our test server is 3.4.5.

wwhitener · ‎09-28-2011

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

View solution in original post

wwhitener · ‎09-28-2011

This one seemed to be universally able to get something--from 4.2.2 and from 3.4.5:

index=_internal source=*splunkd.log bucketmover OR freeze

Not sure why, but putting it in all lower case seems to help it find events.

MarioM · ‎09-19-2011

You should see INFO entries about BucketMover in splunkd.log:

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" component="BucketMover"

Some message similar to this:

09-20-2011 08:01:08.990 +0200 INFO  BucketMover - AsyncFreezer freeze succeeded for /opt/splunk/var/lib/splunk/defaultdb/colddb/db_1308473665_1308226506_25

wwhitener · ‎09-20-2011

I don't know if this is a matter of version or not--we're on 3.4.5--but when I try to query on the BucketMover component, I get zero results returned.

How do I verify that a configuration change for shortening the time to frozen has gone through?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!