Getting Data In

How to configure coldToFrozenDir in indexes.conf on multiple indexers to archive indexed data?

locose
Path Finder

So let’s say I have 2 or 3 indexers and I configure the coldToFrozenDir in the indexes.conf…

[default]
maxWarmDBCount = 200
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenDir = "myAmason_server_mount/myfrozenarchive"

Do you do this on each of the indexers or should I do something like this

Indexer1

[default]
maxWarmDBCount = 200
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenDir = "myAmason_server_mount/myfrozenarchive/index_1"

Indexer2

[default]
maxWarmDBCount = 200
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenDir = "myAmason_server_mount/myfrozenarchive/index_2"

Indexer3

[default]
maxWarmDBCount = 200
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenDir = "myAmason_server_mount/myfrozenarchive/index_3"

I wasn’t sure if the indexer data files would step on each other if I send all the data using coldToFrozenDir option to the same path. i.e "myAmason_server_mount/myfrozenarchive"

0 Karma

ephemeric
Contributor

Hi,

I needed to know the same answer so I setup Splunk 6.4.8 and tested. To my dismay all buckets from all indexes got to your coldToFrozenDir as db_*.

Tried:
coldToFrozenDir = /media/archive/splunk/$_index_name
but it created
/media/archive/splunk/\$_index_name/

Lame.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...