Getting Data In

How to configure hot, warm, and cold buckets?

power12
Communicator

Hello Splunkers ,

I have single machine splunk infrastructure. What stanzas I need to provide in indexes.conf for a index such that  I need to have data in the below order  

Hot / Warm = 14 days
Cold= 10 months

Frozen=1month

Also I have following questions

1.I see that  hot are warm buckets are in the following location $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*

How would we know or differentiate between hot and warm buckets or all look same?


2.Also once the policy of warm bucket is reached like the size or time will the cold location create by itself or should we create manually ($SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*)

I am pretty new to splunk  so can you please help in what should be the stanzas that I should in order to achieve 14 days hot/warm and  10 months in cold and  1 month in frozen

3.what happens if  we have a year worth of data in the hot/warm  

4.How to back up data everyday?...should we copy the buckets everyday and store in a separate storage and if any disaster occurs if we place back the buckets from storage to warm and cold...will we see data as before?

Thanks,

mz9j

 

Labels (2)
0 Karma

RaviSingh
Explorer

Buckets start rolling when they reach a specific size or age, whichever comes first.

You must set the size restriction high enough so that it is not a consideration in order to make time the only determining factor.

It is advantageous if your hot buckets are set up to just hold one day's worth of data.

Splunk does not manage frozen buckets. When they are eliminated, you decide (using cron, etc.).

 

I hope, it matches your requirements.

Thanks

0 Karma

power12
Communicator

@RaviSingh  Thank you for your reply....I  was asking more about how to achieve the bucket size and time for an index..Iwant to know the configs or stanzas that needs in inputs.conf... your reply is more of generic

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...