Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Configure Spunk Hot/Warm, Cold and Frozen

erlindemberg
Explorer
‎01-09-2020 09:41 AM

How do I configure HOT / WARM, COULD, and FROZEN in Splunk Enterpise?

I need to configure Splunk Data Retention and which folder and file to make sure of this setting.

The settings I need to provide for Splunk. My Splunk version is 7.2

Hot / Warm = 14 days
Could = 60 days
Frozen = 11 months

Can you help me with this setting?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2020 03:56 AM

Buckets roll when they reach a certain size or when the reach a certain age, whichever happens first. To make time the only factor, you must set the size limit high enough that it is no longer a factor. It helps if your hot buckets are configured so they contain only a single day of data.

Frozen buckets are not managed by Splunk. You control when they are deleted (using cron, etc.).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jarizeloyola
Path Finder
‎01-09-2020 11:25 AM

You cannot set time retention on hot or warm buckets, it rolls once a certain limit is reached.

This links will help you set that up and understand the Splunk Data life cycle
https://wiki.splunk.com/Deploy:BucketRotationAndRetention
https://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Configureindexstorage
https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...