Getting Data In

How can I set up a setting to keep data less than 6 months to stay cold before roll?

esmith19
Loves-to-Learn

I've read all the articles and past questions but I must be missing something. Our requirement is simple 6 months searchable, 6 months frozen. then delete. but seems there is not an easy setting for anything less than cold to say 6months before roll. just seems data sizes?  currently our hot/warm/cold disk space is full and frozen is empty

[ns-switches]
homePath = volume:primary/ns-switches/db
coldPath = volume:primary/ns-switches/colddb
thawedPath = $SPLUNK_DB/ns-switches/thaweddb
maxTotalDataSizeMB = 512000
maxDataSize = auto_high_volume
coldToFrozenDir = /splunkfrozen/idx1/ns-switches/frozendb
frozenTimePeriodInSecs = 4320000

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

No errors in logs? Maybe some permission issues?

Your frozen time is pretty low for 6 months - it looks like 50 days or so. It should indeed get rolled to frozen if your buckets are over 50 days old.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...