Deployment Architecture

How to Move manually buckets from hot to cold

ajromero
Path Finder

we set the buckets to roll from hot into cold for 90 days, but for some reason is not doing it and we are running low on space. How can I manually move buckets from to cold to free space

 

Thank you

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Buckets normally move from hot to warm to cold rather than from hot directly to cold.

The default lifespan for a hot bucket is 90 days, after which it should roll to warm.  This can be changed with the maxHotSpanSecs attribute in indexes.conf.  You can also force a roll using REST or by restarting the indexer(s).

For a list of other attributes that affect index retention at each level, see https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Configureindexstorage

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Buckets normally move from hot to warm to cold rather than from hot directly to cold.

The default lifespan for a hot bucket is 90 days, after which it should roll to warm.  This can be changed with the maxHotSpanSecs attribute in indexes.conf.  You can also force a roll using REST or by restarting the indexer(s).

For a list of other attributes that affect index retention at each level, see https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Configureindexstorage

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...