Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Archiving of Indexes Not Working

jkfierro
Explorer
‎03-28-2014 06:11 AM

We are running Splunk 6.0.1 on a Centos Linux virtual machine.

The splunk application and indexes reside on a 200 GB disk. Of this 200 GB, hot/warm indexes consume about 165 GB.

Periodically, we get the message in splunkd.log (of course bucket name changes each time):

INFO BucketMover - will attempt to freeze bkt='/opt/splunk/var/lib/splunk/defaultdb/db/db_1363632727_1363632204_23' because maxTotalDataSize=178257920000 bytes, currentSize=178260974557 bytes

So, once the total index size reaches 166 GB, it deletes the oldest indexes. But we don't want this. We want to archive this data. Note: I have no idea where this setting "maxTotalDataSize" is coming from at the moment.

I have set coldToFrozenDir in the hopes that it will archive the indexes before deleting them. But it's not archving them at all. (Yes I restarted Splunk to take effect).

What do you think my next step should be? Thanks.

Tags (3)
0 Karma
Reply

MuS
Legend
‎03-28-2014 06:20 AM

Hi jkfierro,

this topic needs a lot of reading docs and wiki to be fully understood. But there are some very good examples like this:

hope after that, you get the archiving do what it should for you.

cheers, MuS

0 Karma
Reply

jkfierro
Explorer
‎03-28-2014 06:58 AM

I have already reviewed documentation on this. It was not clear to me what my particular issue is and how Splunk wants to behave in handling the indexes/archiving.

0 Karma
Reply

aelliott
Motivator
‎03-28-2014 06:18 AM

you can actually change your maxTotalDataSize in the UI and change your Frozen archive path.
Settings -> Indexes, then click on an index.
I would first verify that the path is there.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...