Deployment Architecture

Any Risk if increased/decreased index data size

ips_mandar
Builder

Hi,
I have created one index of size 500GB(maxTotalDataSizeMb) and also included frozen path where data will get stored after 500Gb data gets completed. Now I want to know below-
1. If I Increased size of that index to 1TB then is there any risk involved of data gets deleted?
2. After changing to 1TB If I consider to reduce data size to 800 Gb then remaining 200Gb data will go to frozen path? is there any risk involved/any precaution neeeds to be taken to avoid data loss?
3. If I want to move frozen bucket to be searchable then I copied particular frozen bucket to thawed path and then after data retention those buckets moved to frozen path then will I have duplicate buckets? so I need to move frozen bucket to thawed path instead of copying it?
thanks,

0 Karma

richgalloway
SplunkTrust
SplunkTrust
  1. Increasing the size of an index does not result in data getting deleted.
  2. Since you have a frozen path, data will not be deleted. It will be moved to the frozen directory.
  3. Thawed data is not managed by Splunk so it will not be re-frozen. It will not be replicated or duplicated. When the thawed data is not longer needed, it must be removed manually.
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...