It's possible from 4.1.5 to roll over indexes manually with ./splunk _internal call /data/indexes/<index_name>/roll-hot-buckets –auth <admin_username>:<admin_password>
So it would be possible to add this as a cron job for this to appear on a weekly basis. But then you need to add a user with admin role and the password for this user in clear.
It would be nice to let splunk itself run this command from a saved search, or as an internal command. There is already an internal cron running for splunk, creating reports and searches.
Does such feature exist or on the roadmap?
In general it would be desirable to do this. You can in fact create a custom search command that is passed a login token: http://answers.splunk.com/questions/6707/splunk-admin-credentials-in-scripted-input and schedule that from within Splunk.
However, to your particular point, why are you doing this? Is it for backup purposes? It's generally a bad idea to roll indexes before they're ready, as it can cause long-term degradation in search performance over the data. If you're concerned about hot buckets remaining open for too long without being backed up or closed, it would be better to set the maxHotIdleSecs to something like 86400 (1 day).
The purpose for my question is for backup purposes yes. I would like to have a predictable roll-over of hot buckets so I know that data in the hot buckets is no older than 7 days, as an example. The maxHotIdleSecs
seems only to be working when the maxHotBuckets
has been exceeded. Ie this is not predictable.