Re: How does Splunk rotate indexed data (colddb, e...

jackiewkc · ‎10-31-2017

Hi,

I have an index called app1 with the following configuration.

[app1]
coldPath = $SPLUNK_DB/app1/colddb
homePath = $SPLUNK_DB/app1/db
thawedPath = $SPLUNK_DB/app1/thaweddb
maxDataSize = auto_high_volume
frozenTimePeriodInSecs = 31536000
maxTotalDataSizeMB = 5000000
repFactor = auto

Under $SPLUNK_DB/app1/, here is the output of " du -sk * "

2016530744 colddb
0 datamodel_summary
2256897696 db
0 thaweddb

My understanding is that data is indexed and stored for 365 days, and I would assume the indexed data is stored under $SPLUNK_DB/app1/db. The part I don't understand is how the data is rolled into colddb and where may that be configured.

Any help will be greatly appreciated.

Thanks.

lfedak_splunk · ‎10-31-2017

Hey @jackiewkc, Here's a link to an overview: http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Bucketsandclusters
Buckets can be configured for max size or time and they rotate when the last event to enter the bucket matches the criteria. Hot/warm are stored in a different location than cold, which helps w/ search efficiency. (Splunk skips buckets if it can tell from the outside that the time range won't match, which is part of why time is such an efficient search parameter). For it to roll into colddb the conditions are configurable (for all stages, that is). You can read more about those configurations here: http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Configureindexstorage

How does Splunk rotate indexed data (colddb, etc)?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation