I intend on consolidating frozen buckets from multiple indexers onto a long term archival machine. The goal would be to make this archival machine an "read-only" indexer, and have it serve all of the frozen buckets seamlessly to splunk users via distributed search.
Since we'd have $SPLUNK_HOME/var/lib/splunk/(indexhere)/frozen/ contain buckets from 5+ indexers, i was going to try to add a prefix/postfix to each bucketid added to the directory to ensure there aren't any collisions.
Does anyone know how large the bucketid's can be? How often the id's return to 0?