1. I have 4 indexer cluster (not a multi-site)with a Search Head Cluster.
2. Each indexer is having 2TB Hard disk
3. I have a deployer server and Cluster master to manage the Cluster setups
Can anyone suggest me how can I configure the Log retention policy so that my 2TB HDD doesn't get exhausted? My intention is to use complete 2TB HDD for Hot and Worm buckets and once the data is ready to move to Cold/Frozen path I would like to transfer the logs to my Azure blobs. There is no specific plan with respect to number of days(log types) instead, its based on the amount of HDD which I have (2TB).
A volume can be used for a single index or multiple indexes.
We have hot and cold volumes defined, and pointed to hot (SSD) and cold (HDD) storage.
We have sized the storage based on our expected usage for a given time period (hot/warm - 30 days, cold - 90 days). We then use the volume to control the hot/warm/cold.
Since the indexes can fluctuate in usage, we have had to increase the maxTotalDataSizeMB for some indexes which are going to exceed the default setting. We set frozenTimePeriodInSecs to control the data retention.
If you are only using one index, you can also apply sizing controls to it:
One more thing u missed while suggesting is that transfer of frozen data to my Azure blobs.
Specifies a script to run when data is to leave the splunk index system.
* Essentially, this implements any archival tasks before the data is deleted out of its default location.
* Add "$DIR" (including quotes) to this setting on Windows (see below for details).
* Script Requirements: * The script must accept one argument:
* An absolute path to the bucket directory to archive.