Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- coldToFrozenDir per index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was running a cold to frozen script that moved the forzen files into a separate directory per index.
/opt/splunk/bin/compressedExport.sh
( cd "$1" && gzip *.tsidx )
SPATH=`echo $1 |sed 's/^\/var\/splunk\/lib\/splunk\/\(.*\/\)db.*$/\1/'`
mkdir -p /var/splunk/archive/$SPATH
cp -r "$1" /var/splunk/archive/$SPATH #replace this with your archive directory
So I would end up with the archives in
/var/splunk/archive/index1
/var/splunk/archive/index2
etc
Is there an easy way to do something similar with the new coldtofrozen script.
I tried setting
coldToFrozenDir = /var/splunk/archive/
but all the archive files end up in the root of the /var/splunk/archive/ directory.
Can I define coldToFrozenDir per index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer, I looked at the
/opt/splunk/bin/coldToFrozenExample.py script and saw it has this line at the end
destdir = os.path.join(ARCHIVE_DIR, indexname, os.path.basename(bucket))
So if I use that script it will put it in /ARCHIVE_DIR/index/
So I made a copy of the script, edited it, added a new line at the top, so on unix systems it will execute as a python script
#!/opt/splunk/bin/python
and changing the ARCHIVE_DIR line at the top to
ARCHIVE_DIR = '/var/splunk/archive'
then added the following to the [default] in /opt/splunk/etc/system/local/indexes.conf
coldToFrozenScript = $SPLUNK_HOME/bin/coldToFrozen.py
Now it archives to a folder in /var/splunk/archive/indexname/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer, I looked at the
/opt/splunk/bin/coldToFrozenExample.py script and saw it has this line at the end
destdir = os.path.join(ARCHIVE_DIR, indexname, os.path.basename(bucket))
So if I use that script it will put it in /ARCHIVE_DIR/index/
So I made a copy of the script, edited it, added a new line at the top, so on unix systems it will execute as a python script
#!/opt/splunk/bin/python
and changing the ARCHIVE_DIR line at the top to
ARCHIVE_DIR = '/var/splunk/archive'
then added the following to the [default] in /opt/splunk/etc/system/local/indexes.conf
coldToFrozenScript = $SPLUNK_HOME/bin/coldToFrozen.py
Now it archives to a folder in /var/splunk/archive/indexname/
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
