Getting Data In

Questions regarding to the Splunk / Hunk Splunk Archiver dashboard

Path Finder

In the Archive dashboard, I see two panels for archiving via coldToFrozen by index, I've googled it and looked through the documentation, but don't see how to configured this for HDFS. Am I correct to assume that it's not for the HDFS or S3 archiving, but for the archiving scripts method?

0 Karma

Splunk Employee
Splunk Employee

There is more information about this feature here:
http://docs.splunk.com/Documentation/Hunk/latest/Hunk/Setanarchivescript

Ordinarily, buckets will be archived long before they roll to frozen, so the system will delete frozen buckets normally. However, if you set vix.output.buckets.older.than to very large number, or if an indexer has a very heavy load, it is possible for a bucket to be deleted before it is archived. As a back-up feature, we provide a coldToFrozen script you can use which instead of deleting the bucket, just renames it. The bucket won't be searchable, but archiving will still find it, and will delete it once it has been successfully archived.

Assuming that you are using this feature, these panels will show you how many frozen-and-renamed buckets have been found, and how many have been deleted, by the archiving process.

SplunkTrust
SplunkTrust

Keith: two questions from the documentation that you quote

1) "Note the following if you are using Hunk's coldToFrozenSh.script"

That should probably be coldToFrozen.sh script

2) "All the search peers to the Hunk search head must have the script installed as well. You can do each peer manually or use the deployer for search head clusters. See Configure search head clustering."

I see the binary on my indexers in /opt/splunk/etc/apps/splunk_archiver/bin so I don't need to do anything right? Doesn't that script come with Splunk 6.3 and greater?

0 Karma

Splunk Employee
Splunk Employee

Thanks Becky! I believe you are correct on both counts. I'm bringing this to the attention of our Documentation team.

0 Karma

SplunkTrust
SplunkTrust

And a third question.. we add this line to the _archive index stanza not the index stanza without the _archive. Correct?

coldToFrozenScript = "$SPLUNK_HOME/etc/apps/splunk_archiver/bin/coldToFrozen.sh"

0 Karma

Splunk Employee
Splunk Employee

On this one, I believe the documentation is correct as it stands. We want to change the behavior of the original index, so that it does not delete its buckets when they roll to frozen. We don't need to change the behavior of the archiving index--it already knows to look for renamed buckets if they are there.

The coldToFrozenScript property is actually a generalized mechanism that you can use without archiving. For instance, if you want to write a script that encrypts old buckets and transfers them via scp to another system, you trigger that script with this property. There is more information about it in the spec for the indexes.conf file:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

0 Karma

SplunkTrust
SplunkTrust

Okay so we only add the line to the indexers indexes.conf stanza for those indexes that we are archiving. And not to foo_archive, just foo.

coldToFrozenScript = "$SPLUNK_HOME/etc/apps/splunk_archiver/bin/coldToFrozen.sh"

Somehow I missed this and thought it was to the search head.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!