Hi,
Our default age for all events is 3 months, but there is a specific index that's needs events to still be available for a year. A new storage location has been created and I am ready to make the change in the indexes.conf for this index. But, if I need to keep the existing events, is it just a matter of copying over all the db directories from the old /cold location to the new /cold location?
Thanks
Yup, simple as that. Since it's cold data (not being written to), you can copy the files while the indexer(s) is up, make the config changes, and then restart Splunk. Downtime will be minimal, just a normal restart.
Yup, simple as that. Since it's cold data (not being written to), you can copy the files while the indexer(s) is up, make the config changes, and then restart Splunk. Downtime will be minimal, just a normal restart.