Getting Data In

Where are my archived files getting saved?

seema2502
Explorer

Hi Team,

i want to know where my archived files are getting saved as in my indexes.conf file "coldToFrozenDir = ".
currently we are keeping logs only for 30 days, but the team who is using Splunk need logs for at least 60 days, so i need to analyze how much data we had last month so that we can check for disk space and rest all configuration.

Thanks,
Seema

Tags (2)
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi seema2502,

from the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/Automatearchiving

Caution: By default, the indexer deletes all frozen data. It removes the data from the index at the moment it becomes frozen. If you need to keep the data around, you must configure the indexer to archive the data before removing it. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in indexes.conf.

You can verify with this command (on *nix) $SPLUNK_HOME/bin/splunk cmd btool indexes list | grep coldToFrozenDir if any valid directory is set or not. If not your frozen events are gone.

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi seema2502,

from the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/Automatearchiving

Caution: By default, the indexer deletes all frozen data. It removes the data from the index at the moment it becomes frozen. If you need to keep the data around, you must configure the indexer to archive the data before removing it. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in indexes.conf.

You can verify with this command (on *nix) $SPLUNK_HOME/bin/splunk cmd btool indexes list | grep coldToFrozenDir if any valid directory is set or not. If not your frozen events are gone.

cheers, MuS

seema2502
Explorer

Hi Mus,

Thanks a lot for your swift response. As we have not set any specific path for coldToFrozenDir hence Splunk might have removed all the frozen files.
Regards,
Seema

0 Karma

MuS
SplunkTrust
SplunkTrust

Indeed, no directory set = frozen events removed. Please mark this as answered in this case, thx

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...