Splunk Dev

How does quarantinePastSecs work? Because I just set it to 90 days and it truncated my entire index. A massive freezing.

twinspop
Influencer

EDIT: Ignore this question.

I made the change as described, but there were a few indexes with edits in the conf file already. They happened to be the 2 biggest and the 2 I checked when I saw the freeze storm. I saw a max data life of about 90 days, correlated with the quarantine setting, and jumped to a poor conclusion.

I wish I had a better excuse than that.

Original fable:

At the recommendation from splunk support, for busy indexers, I changed the value to 7776000, or 90 days. Upon applying to my cluster, i saw a massive freeze event and lost all data older than 90d.

Working on my resume.

😞

Tags (1)
0 Karma
1 Solution

twinspop
Influencer

Bogus. Situation resolved. Move along, nothing to see here.

View solution in original post

0 Karma

twinspop
Influencer

Bogus. Situation resolved. Move along, nothing to see here.

0 Karma

twinspop
Influencer

Long story short: My mistake. This is bogus. Sorry for adding to the noise in this forum.

0 Karma

mattymo
Splunk Employee
Splunk Employee

yeah, there must be more to this..

quarantine simply has Splunk TRY to make new buckets for any new events received whose timestamp is OLDER than 90 days ago. I say try, because depending on indexes.conf configs for hot buckets, it may have no choice but to throw it in an open bucket with the closest time to the event...

I would double check your frozenTimePeriodInSecs settings in your index's stanza as well as your global config stanza, as that is the likely culprit...not quarantine.

quarantinePastSecs = <positive integer>
* Events with timestamp of quarantinePastSecs older than "now" will be
  dropped into quarantine bucket.
* This is a mechanism to prevent the main hot buckets from being polluted
  with fringe events.
* Highest legal value is 4294967295
* Defaults to 77760000 (900 days).

frozenTimePeriodInSecs = <nonnegative integer>
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
  frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
  before it will roll. Then, the DB will be frozen the next time splunkd
  checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).
- MattyMo
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I've just set this on my home splunk, and years of data are still there. Do post your complete index config pre- and post-apply.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...