Solved: Re: How does frozenTimePeriodInSecs on search head...

mhorbul · ‎09-25-2014

I have a Splunk cluster with 5 indexers, 1 cluster master and 1 search head. All 5 indexer got the same indexes.conf distributed by cluster master with the same frozenTimePeriodInSecs=2592000 but the search head is not configured via cluster bundle so it ended up having default value which is 188697600. Will that value affect the retention policy which is expected to be 30 days (2592000 sec) or only indexers' frozenTimePeriodInSecs is considered by Splunk when it decided which bucket needs to be freeze.

$ /opt/splunk/bin/splunk search "| rest /services/data/indexes | search title=main |fields title,frozenTimePeriodInSecs,splunk_server"

title frozenTimePeriodInSecs splunk_server
----- ---------------------- -------------
main               188697600 search-head
main                 2592000 indexer01
main                 2592000 indexer02
main                 2592000 indexer03
main                 2592000 indexer04
main                 2592000 indexer05

Thank you,
Max

sowings · ‎09-25-2014

Not at all. Retention is handled on a per-node basis.

NOTE: This is true for size-based restrictions as well. A limit of "500,000 MB" (default) is per-host, not cumulative.

View solution in original post

sowings · ‎09-25-2014

Not at all. Retention is handled on a per-node basis.

NOTE: This is true for size-based restrictions as well. A limit of "500,000 MB" (default) is per-host, not cumulative.

mhorbul · ‎09-25-2014

Thank you!

How does frozenTimePeriodInSecs on search head affect the cluster retention policy?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...