Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure hot, warm, and cold buckets?

power12
Communicator
‎01-11-2023 03:53 PM

Hello Splunkers ,

I have single machine splunk infrastructure. What stanzas I need to provide in indexes.conf for a index such that  I need to have data in the below order  

Hot / Warm = 14 days
Cold= 10 months

Frozen=1month

Also I have following questions

1.I see that  hot are warm buckets are in the following location $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*

How would we know or differentiate between hot and warm buckets or all look same?


2.Also once the policy of warm bucket is reached like the size or time will the cold location create by itself or should we create manually ($SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*)

I am pretty new to splunk  so can you please help in what should be the stanzas that I should in order to achieve 14 days hot/warm and  10 months in cold and  1 month in frozen

3.what happens if  we have a year worth of data in the hot/warm  

4.How to back up data everyday?...should we copy the buckets everyday and store in a separate storage and if any disaster occurs if we place back the buckets from storage to warm and cold...will we see data as before?

Thanks,

mz9j

 

Labels (1)
Labels
0 Karma
Reply

RaviSingh
Explorer
‎01-11-2023 10:07 PM

Buckets start rolling when they reach a specific size or age, whichever comes first.

You must set the size restriction high enough so that it is not a consideration in order to make time the only determining factor.

It is advantageous if your hot buckets are set up to just hold one day's worth of data.

Splunk does not manage frozen buckets. When they are eliminated, you decide (using cron, etc.).

 

I hope, it matches your requirements.

Thanks

0 Karma
Reply

power12
Communicator
‎01-12-2023 09:09 AM

@RaviSingh  Thank you for your reply....I  was asking more about how to achieve the bucket size and time for an index..Iwant to know the configs or stanzas that needs in inputs.conf... your reply is more of generic

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...