Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When does splunk roll data from warm to cold?

robertosegantin
Path Finder
‎07-16-2018 04:07 AM

On my test environement I configured and index like this:

[prove_di_cold]
homePath = /root/splunk_hot/prove_di_cold/db
coldPath = /root/splunk_cold/prove_di_cold/colddb
thawedPath = /root/splunk_cold/prove_di_cold/thaweddb
maxWarmDBCount=1
maxDataSize = 1000
maxHotSpanSecs = 40
frozenTimePeriodInSecs = 100
rotatePeriodInSecs = 60
bucketRebuildMemoryHint = 0
coldToFrozenDir = /root/splunk_frozen/prove_di_cold
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair = 1
enableTsidxReduction = 0
minHotIdleSecsBeforeForceRoll = 0
rtRouterQueueSize =
rtRouterThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1

But splunk never copy any data from hot/warm path to cold or freeze path

Have you got any other information about it?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

CarsonZa
Contributor
‎07-16-2018 08:27 AM

splunk wont roll the data until the bucket is full. its possible your hot bucket(s) arent full to even roll to warm even if the maxHotSpanSecs = 40 is set.

try setting this maxHotBuckets=x to a lower integer default is 3.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Indexesconf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

CarsonZa
Contributor
‎07-16-2018 08:27 AM

splunk wont roll the data until the bucket is full. its possible your hot bucket(s) arent full to even roll to warm even if the maxHotSpanSecs = 40 is set.

try setting this maxHotBuckets=x to a lower integer default is 3.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Indexesconf

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎07-16-2018 06:35 AM

check with btool which settings are being applied.

./splunk btool indexes list --debug prove_di_cold

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-16-2018 06:20 AM

Weird because you have frozenTimePeriodInSecs = 100

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...