Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I set up a setting to keep data less than 6 months to stay cold before roll?

esmith19
Loves-to-Learn
‎03-28-2022 10:28 AM

I've read all the articles and past questions but I must be missing something. Our requirement is simple 6 months searchable, 6 months frozen. then delete. but seems there is not an easy setting for anything less than cold to say 6months before roll. just seems data sizes?  currently our hot/warm/cold disk space is full and frozen is empty

[ns-switches]
homePath = volume:primary/ns-switches/db
coldPath = volume:primary/ns-switches/colddb
thawedPath = $SPLUNK_DB/ns-switches/thaweddb
maxTotalDataSizeMB = 512000
maxDataSize = auto_high_volume
coldToFrozenDir = /splunkfrozen/idx1/ns-switches/frozendb
frozenTimePeriodInSecs = 4320000

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-28-2022 12:14 PM

No errors in logs? Maybe some permission issues?

Your frozen time is pretty low for 6 months - it looks like 50 days or so. It should indeed get rolled to frozen if your buckets are over 50 days old.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...