- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Data going directly to frozen
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data going directly to frozen
Hello,
I have a new index - it's a monster - eating up my disk space. Until I move it to the physical server I need to fix it.
Well, I limited maxTotalDataSizeMB, seem working but the cold storage skipped landed in frozen directly, so I cannot search it.
The hot/warm storage is "local" on VM, the cold, frozen, thawed is an S3.
The optimal idea is 7 days in hot/warm (if over maxTotalDataSizeMB then faster) then go cold for 90 days (no size limit) then thawed for 1 year (no size limit).
here is my current setting
archiver.enableDataArchive = 0
/opt/splunk/etc/system/default/indexes.conf archiver.maxDataArchiveRetentionPeriod = 0
/opt/splunk/etc/system/default/indexes.conf assureUTF8 = false
bucketRebuildMemoryHint = 0
coldPath = /mnt/archive_s3/SPLUNK_DB/indexname/colddb
/opt/splunk/etc/system/default/indexes.conf coldPath.maxDataSizeMB = 0
coldToFrozenDir = /mnt/archive_s3/SPLUNK_DB/indexname/Frozenarchive
/opt/splunk/etc/system/default/indexes.conf coldToFrozenScript =
compressRawdata = 1
/opt/splunk/etc/system/default/indexes.conf datatype = event
/opt/splunk/etc/system/default/indexes.conf defaultDatabase = main
enableDataIntegrityControl = 0
enableOnlineBucketRepair = 1
/opt/splunk/etc/system/default/indexes.conf enableRealtimeSearch = true
enableTsidxReduction = 0
frozenTimePeriodInSecs = 3024000
homePath = $SPLUNK_DB/indexname/db
/opt/splunk/etc/system/default/indexes.conf homePath.maxDataSizeMB = 0
/opt/splunk/etc/system/default/indexes.conf hotBucketTimeRefreshInterval = 10
/opt/splunk/etc/system/default/indexes.conf indexThreads = auto
/opt/splunk/etc/system/default/indexes.conf journalCompression = gzip
/opt/splunk/etc/system/default/indexes.conf maxBloomBackfillBucketAge = 30d
/opt/splunk/etc/system/default/indexes.conf maxBucketSizeCacheEntries = 0
maxConcurrentOptimizes = 6
maxDataSize = auto_high_volume
maxGlobalDataSizeMB = 0
maxHotBuckets = 10
maxHotIdleSecs = 86400
/opt/splunk/etc/system/default/indexes.conf maxHotSpanSecs = 7776000
maxMemMB = 20
/opt/splunk/etc/system/default/indexes.conf maxMetaEntries = 1000000
/opt/splunk/etc/system/default/indexes.conf maxRunningProcessGroups = 8
/opt/splunk/etc/system/default/indexes.conf maxRunningProcessGroupsLowPriority = 1
/opt/splunk/etc/system/default/indexes.conf maxTimeUnreplicatedNoAcks = 300
/opt/splunk/etc/system/default/indexes.conf maxTimeUnreplicatedWithAcks = 60
maxTotalDataSizeMB = 76800
maxWarmDBCount = 200
/opt/splunk/etc/system/default/indexes.conf memPoolMB = auto
minHotIdleSecsBeforeForceRoll = 0
/opt/splunk/etc/system/default/indexes.conf minRawFileSyncSecs = disable
/opt/splunk/etc/system/default/indexes.conf minStreamGroupQueueSize = 2000
/opt/splunk/etc/system/default/indexes.conf partialServiceMetaPeriod = 0
/opt/splunk/etc/system/default/indexes.conf processTrackerServiceInterval = 1
/opt/splunk/etc/system/default/indexes.conf quarantineFutureSecs = 2592000
/opt/splunk/etc/system/default/indexes.conf quarantinePastSecs = 77760000
/opt/splunk/etc/system/default/indexes.conf rawChunkSizeBytes = 131072
/opt/splunk/etc/system/default/indexes.conf repFactor = 0
rotatePeriodInSecs = 60
rtRouterQueueSize =
rtRouterThreads =
selfStorageThreads =
/opt/splunk/etc/system/default/indexes.conf serviceInactiveIndexesPeriod = 60
/opt/splunk/etc/system/default/indexes.conf serviceMetaPeriod = 25
/opt/splunk/etc/system/default/indexes.conf serviceOnlyAsNeeded = true
/opt/splunk/etc/system/default/indexes.conf serviceSubtaskTimingPeriod = 30
/opt/splunk/etc/system/default/indexes.conf splitByIndexKeys =
/opt/splunk/etc/system/default/indexes.conf streamingTargetTsidxSyncPeriodMsec = 5000
/opt/splunk/etc/system/default/indexes.conf suppressBannerList =
suspendHotRollByDeleteQuery = 0
/opt/splunk/etc/system/default/indexes.conf sync = 0
syncMeta = 1
thawedPath = /mnt/archive_s3/SPLUNK_DB/indexname/thaweddb
/opt/splunk/etc/system/default/indexes.conf throttleCheckPeriod = 15
/opt/splunk/etc/system/default/indexes.conf timePeriodInSecBeforeTsidxReduction = 604800
/opt/splunk/etc/system/default/indexes.conf tsidxReductionCheckPeriodInSec = 600
tsidxWritingLevel =
tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary
/opt/splunk/etc/system/default/indexes.conf warmToColdScript =
I assume this is the issue coldPath.maxDataSizeMB = 0 why skip cold, but not sure.
I appreciated if somebody could fix my settings.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
