Re: Why are frozen buckets not going to frozen pat...

dmitchell92 · ‎10-09-2019

Hello, I'm trying to configure my indexes to store frozen buckets on an NFS share mounted to the Splunk Server. I have mounted the share, created a path with sub folders for each index.

I've set this and let it ride.

I went to check the data on the NFS share and there is nothing in the NFS Share path.

Is there something else I'm missing here?

dmitchell92 · ‎10-10-2019

Yes, I have coldToFrozenDir set for each index in $SPLUNKHOME/apps/search/local/indexes.conf. Is there something else I'm missing?

richgalloway · ‎10-10-2019

Verify Splunk has write access to the frozen dir.
Check splunkd.log for errors.

---
If this reply helps you, Karma would be appreciated.

dmitchell92 · ‎10-10-2019

directory access has been confirmed. Only reference to coldToFrozenDir states that both coldToFrozenScript and coldToFrozenScript are set and coldToFrozenDir will take precedence.

ivanreis · ‎10-09-2019

As mentioned by richgalloway, you have to add the configuration path for "coldToFrozenDir" at indexes.conf not at inputs.conf.

check this link here for further information
https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Configureindexstorage#Attributes_that_aff...

See below a sample of configuration for "coldToFrozenDir" parameter setup at indexes.conf
[web]
homePath = volume:primary/web/db
coldPath = volume:primary/web/colddb
thawedPath = $SPLUNK_DB/web/thaweddb
coldToFrozenDir = /opt/frozen/web

richgalloway · ‎10-09-2019

Have you set coldToFrozenDir in indexes.conf?

---
If this reply helps you, Karma would be appreciated.

Why are frozen buckets not going to frozen path?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM