Any Risk if increased/decreased index data size

ips_mandar · ‎05-22-2020

Hi,
I have created one index of size 500GB(maxTotalDataSizeMb) and also included frozen path where data will get stored after 500Gb data gets completed. Now I want to know below-
1. If I Increased size of that index to 1TB then is there any risk involved of data gets deleted?
2. After changing to 1TB If I consider to reduce data size to 800 Gb then remaining 200Gb data will go to frozen path? is there any risk involved/any precaution neeeds to be taken to avoid data loss?
3. If I want to move frozen bucket to be searchable then I copied particular frozen bucket to thawed path and then after data retention those buckets moved to frozen path then will I have duplicate buckets? so I need to move frozen bucket to thawed path instead of copying it?
thanks,

richgalloway · ‎05-22-2020

Increasing the size of an index does not result in data getting deleted.
Since you have a frozen path, data will not be deleted. It will be moved to the frozen directory.
Thawed data is not managed by Splunk so it will not be re-frozen. It will not be replicated or duplicated. When the thawed data is not longer needed, it must be removed manually.

---
If this reply helps you, Karma would be appreciated.

Any Risk if increased/decreased index data size

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application