Hello Splunkers ,
I have single machine splunk infrastructure. What stanzas I need to provide in indexes.conf for a index such that I need to have data in the below order
Hot / Warm = 14 days
Cold= 10 months
Frozen=1month
Also I have following questions
1.I see that hot are warm buckets are in the following location $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*
How would we know or differentiate between hot and warm buckets or all look same?
2.Also once the policy of warm bucket is reached like the size or time will the cold location create by itself or should we create manually ($SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*)
I am pretty new to splunk so can you please help in what should be the stanzas that I should in order to achieve 14 days hot/warm and 10 months in cold and 1 month in frozen
3.what happens if we have a year worth of data in the hot/warm
4.How to back up data everyday?...should we copy the buckets everyday and store in a separate storage and if any disaster occurs if we place back the buckets from storage to warm and cold...will we see data as before?
Thanks,
mz9j
Buckets start rolling when they reach a specific size or age, whichever comes first.
You must set the size restriction high enough so that it is not a consideration in order to make time the only determining factor.
It is advantageous if your hot buckets are set up to just hold one day's worth of data.
Splunk does not manage frozen buckets. When they are eliminated, you decide (using cron, etc.).
I hope, it matches your requirements.
Thanks
@RaviSingh Thank you for your reply....I was asking more about how to achieve the bucket size and time for an index..Iwant to know the configs or stanzas that needs in inputs.conf... your reply is more of generic