Re: Splunk Index Not able to go to Cold Storage

Ealderiso · ‎09-26-2016

We have a splunk index that is not properly moving to cold storage. We are just looking for some troubleshooting steps. We are trying to find where the Cold Path is defined for indexes by default. Our other indexes are moving to /var/splunk-cold/ however this one index is not moving its cold data here.

Where can we define where cold storage goes for an index?

ddrillic · ‎10-02-2016

As @maciep said, the definitions are under indexes.conf

By default we have -

[hatch]

homePath   = $SPLUNK_DB/hatchdb/db
coldPath   = $SPLUNK_DB/hatchdb/colddb
thawedPath = $SPLUNK_DB/hatchdb/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

For each index, a colddb directory exists under the index main directory.

maciep · ‎10-02-2016

The cold path would be defined in indexes.conf. But you might be better off using btool to get the settings for that index:

splunk btool indexes list [your index name]

But out of curiosity are you saying that the data is being deleted instead of rolling to cold? Or is it remaining warm? Or something else? Knowing what's happening might allow to provide more specific troubleshooting steps.

Splunk Index Not able to go to Cold Storage

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation