Hi there!
I'm trying to set up the buckets in one splunk deployment. I want to delete events greater than 1 week and for that I write the next parameters for some indexes inside the **local/indexes.conf**
frozenTimePeriodInSecs = 604800
rotatePeriodInSecs = 60
maxHotBuckets = 1
maxHotSpanSecs = 3600
maxHotIdleSecs = 60
maxWarmDBCount = 1
I check the **splunkd.log** and the BucketMover works without errors... but when I'm checking the events inside the indexes with the next query...
index=someindex | chart count over date_mday by date_month
... Splunk showme events from days outside the **frozenTimePeriodInSecs** that I set. Sometimes 3 days more, other times even 6 or more...
Any clues?
Deployment:
OS: Ubuntu server 14.04LTS 64bits
Splunk: Enterprise 6.3.2
↧