Getting Data In

Archiving all indexes after 1 year

heathramos
Path Finder

I am trying to set up archiving but I can't seem to get it working.

From the docs I've read, I thought I just need to create a indexes.conf file, place it within system/local and include a line referring to coldToFrozenDir and frozenTimePeriodInSecs .

I tried that for one index and if I restart Splunk, the service won't start back up again unless I delete that file.

How exactly do I set this up?

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

If Splunk doesn't restart because of indexes.conf issues, it should give you some error messages in $SPLUNK_HOME\var\run\splunk\splunkd.log during startup (given your example, I am assuming you are running on Windows)
It would be helpful to see what is being logged.

My best guess is the quotes in your directory, which probably prevent resolution of the env. variable.

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If Splunk doesn't restart because of indexes.conf issues, it should give you some error messages in $SPLUNK_HOME\var\run\splunk\splunkd.log during startup (given your example, I am assuming you are running on Windows)
It would be helpful to see what is being logged.

My best guess is the quotes in your directory, which probably prevent resolution of the env. variable.

0 Karma

heathramos
Path Finder

changed the path and restarted splunk

got the following error:

ERROR loader - Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index 'windows': path of coldToFrozenDir must be absolute ('"d:\Splunk_Archive\windows"')

0 Karma

heathramos
Path Finder

looks like getting rid of the quotes completely worked

thanks

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Thank you for closing the loop!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
Revered Legend

It may be crashing due to wrong configs (indexes.conf is an important configuration file). Make sure you update the config file correctly. See this links for details on those properties.
https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Setaretirementandarchivingpolicy
https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Automatearchiving

0 Karma

heathramos
Path Finder

What should be in that config file?

My file contains the following:

[windows]
coldToFrozenDir = "$SPLUNK_DB\windows\frozendb"
frozenTimePeriodInSecs = 31536000

0 Karma

somesoni2
Revered Legend

Try putting hardcoded path (full path) in coldToFrozenDir attribute.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...