Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Archiving all indexes after 1 year

heathramos
Path Finder
‎08-02-2017 07:10 AM

I am trying to set up archiving but I can't seem to get it working.

From the docs I've read, I thought I just need to create a indexes.conf file, place it within system/local and include a line referring to coldToFrozenDir and frozenTimePeriodInSecs .

I tried that for one index and if I restart Splunk, the service won't start back up again unless I delete that file.

How exactly do I set this up?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-02-2017 07:56 AM

If Splunk doesn't restart because of indexes.conf issues, it should give you some error messages in $SPLUNK_HOME\var\run\splunk\splunkd.log during startup (given your example, I am assuming you are running on Windows)
It would be helpful to see what is being logged.

My best guess is the quotes in your directory, which probably prevent resolution of the env. variable.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-02-2017 07:56 AM

If Splunk doesn't restart because of indexes.conf issues, it should give you some error messages in $SPLUNK_HOME\var\run\splunk\splunkd.log during startup (given your example, I am assuming you are running on Windows)
It would be helpful to see what is being logged.

My best guess is the quotes in your directory, which probably prevent resolution of the env. variable.

0 Karma
Reply
Solved! Jump to solution

heathramos
Path Finder
‎08-02-2017 08:22 AM

changed the path and restarted splunk

got the following error:

ERROR loader - Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index 'windows': path of coldToFrozenDir must be absolute ('"d:\Splunk_Archive\windows"')

0 Karma
Reply
Solved! Jump to solution

heathramos
Path Finder
‎08-02-2017 09:26 AM

looks like getting rid of the quotes completely worked

thanks

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-02-2017 12:56 PM

Thank you for closing the loop!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2017 09:47 AM

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-02-2017 07:34 AM

It may be crashing due to wrong configs (indexes.conf is an important configuration file). Make sure you update the config file correctly. See this links for details on those properties.
https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Setaretirementandarchivingpolicy
https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Automatearchiving

0 Karma
Reply
Solved! Jump to solution

heathramos
Path Finder
‎08-02-2017 07:41 AM

What should be in that config file?

My file contains the following:

[windows]
coldToFrozenDir = "$SPLUNK_DB\windows\frozendb"
frozenTimePeriodInSecs = 31536000

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-02-2017 07:48 AM

Try putting hardcoded path (full path) in coldToFrozenDir attribute.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...