Getting Data In

How to configure hot, warm, and cold buckets?

power12
Communicator

Hello Splunkers ,

I have single machine splunk infrastructure. What stanzas I need to provide in indexes.conf for a index such that  I need to have data in the below order  

Hot / Warm = 14 days
Cold= 10 months

Frozen=1month

Also I have following questions

1.I see that  hot are warm buckets are in the following location $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*

How would we know or differentiate between hot and warm buckets or all look same?


2.Also once the policy of warm bucket is reached like the size or time will the cold location create by itself or should we create manually ($SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*)

I am pretty new to splunk  so can you please help in what should be the stanzas that I should in order to achieve 14 days hot/warm and  10 months in cold and  1 month in frozen

3.what happens if  we have a year worth of data in the hot/warm  

4.How to back up data everyday?...should we copy the buckets everyday and store in a separate storage and if any disaster occurs if we place back the buckets from storage to warm and cold...will we see data as before?

Thanks,

mz9j

 

Labels (2)
0 Karma

RaviSingh
Explorer

Buckets start rolling when they reach a specific size or age, whichever comes first.

You must set the size restriction high enough so that it is not a consideration in order to make time the only determining factor.

It is advantageous if your hot buckets are set up to just hold one day's worth of data.

Splunk does not manage frozen buckets. When they are eliminated, you decide (using cron, etc.).

 

I hope, it matches your requirements.

Thanks

0 Karma

power12
Communicator

@RaviSingh  Thank you for your reply....I  was asking more about how to achieve the bucket size and time for an index..Iwant to know the configs or stanzas that needs in inputs.conf... your reply is more of generic

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...