How does the frozen bucket work exactly?

daniel333 · ‎10-23-2018

All,

So I have frozenTimePeriodInSecs=10368000 in my indexes.conf. That is 120 days old. Yet i have data going back more than 120 days. When does Splunk run its process to purge this data?

Guess I assumed a nightly job checked for old data and dumped it.

gjanders · ‎10-23-2018

Refer to Freeze data when it grows too old in the Set a retirement and archiving policy page

You can use the age of data to determine when a bucket gets rolled to frozen. When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled.

In other words the entire bucket has to be past that date, a bucket may contain 1 hour of data, it might contain data over a 3 week period, either way it cannot freeze until the most recent data is past the frozenTimePeriodInSecs

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

kmorris_splunk · ‎10-23-2018

This is on a per index basis. It's possible you have other indexes that don't roll after 120 days.

http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Setaretirementandarchivingpolicy

mstjohn_splunk · ‎10-25-2018

hi @daniel333,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

How does the frozen bucket work exactly?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio