Is there a way to control the size of Frozen Bucke...

marciodcr · ‎08-29-2014

Hi,

I need to retain about 6 months of events (3 months of searchable data + 3 months stored on frozen data).

The frozen data will be stored in a NFS volume and i would like to know if there is a way to control the total disk space used by the frozen buckets.

The main reason is to avoid out of disk space on the NFS Volume.

Thank you!

Thanks!

yannK · ‎08-29-2014

The frozen data will be stored in a NFS volume and i would like to know if there is a way to control the total disk space used by the frozen buckets.

No, the frozen buckets are considered as out of splunk, their size and volume are not monitored or controlled.
They are under the responsibility of your archive administrator to move them or rotate them to ensure disk space for the future frozen buckets,.

OL · ‎08-29-2014

Hi Marciodcr,

If I'm not mistaking, the frozen buckets name will contain the epoch time (db_) the same way we have with the warm and cold buckets. therefore you could create a simple script which will check the earliest time of each bucket from the name and remove all the old one.

Does this make sense?

More information on buckets, have a look at the documentation: http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/HowSplunkstoresindexes

Regards,
Olivier

Is there a way to control the size of Frozen Buckets?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!