Deployment Architecture

Any Risk if increased/decreased index data size

ips_mandar
Builder

Hi,
I have created one index of size 500GB(maxTotalDataSizeMb) and also included frozen path where data will get stored after 500Gb data gets completed. Now I want to know below-
1. If I Increased size of that index to 1TB then is there any risk involved of data gets deleted?
2. After changing to 1TB If I consider to reduce data size to 800 Gb then remaining 200Gb data will go to frozen path? is there any risk involved/any precaution neeeds to be taken to avoid data loss?
3. If I want to move frozen bucket to be searchable then I copied particular frozen bucket to thawed path and then after data retention those buckets moved to frozen path then will I have duplicate buckets? so I need to move frozen bucket to thawed path instead of copying it?
thanks,

0 Karma

richgalloway
SplunkTrust
SplunkTrust
  1. Increasing the size of an index does not result in data getting deleted.
  2. Since you have a frozen path, data will not be deleted. It will be moved to the frozen directory.
  3. Thawed data is not managed by Splunk so it will not be re-frozen. It will not be replicated or duplicated. When the thawed data is not longer needed, it must be removed manually.
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...