Deployment Architecture

How does the frozen bucket work exactly?

daniel333
Builder

All,

So I have frozenTimePeriodInSecs=10368000 in my indexes.conf. That is 120 days old. Yet i have data going back more than 120 days. When does Splunk run its process to purge this data?

Guess I assumed a nightly job checked for old data and dumped it.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Refer to Freeze data when it grows too old in the Set a retirement and archiving policy page

You can use the age of data to determine when a bucket gets rolled to frozen. When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled. 

In other words the entire bucket has to be past that date, a bucket may contain 1 hour of data, it might contain data over a 3 week period, either way it cannot freeze until the most recent data is past the frozenTimePeriodInSecs

kmorris_splunk
Splunk Employee
Splunk Employee

This is on a per index basis. It's possible you have other indexes that don't roll after 120 days.

http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Setaretirementandarchivingpolicy

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @daniel333,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...