we need your help in creating the configuration to align the requirements.
we have created index for application logs rpp_pe_idx_dmc and we have created schedule saved search to perform some searches and store the results by enabling summary index at rpp_pe_summary_idx_dmc. Question here is we need to update the indexes.conf to meet below requirements.
Hot&Warm buckets will have 90 days of raw data (for index rpp_pe_idx_dmc)
Cold buckets will have last 10 months of summary data (for index rpp_pe_summary_idx_dmc)
let me understand:
you said that retention of rpp_pe_idx_dmc is 90 days in hot/warm data, but what is the retention of cold data?
do you want to use summary only for cold data, not also for hot/warm data? why?
It's not clear your requirement: how long do you want to archive full logs? in other words what is the retention?
How do you want to use summary: for archive summary data or to accelerate searches?
Anyway you can define:
the max number oh warm buckets: maxWarmDBCount = ,
The maximum size of an index (in MB): maxTotalDataSizeMB = ,
Total retention period: frozenTimePeriodInSecs = ,
The maximum size in MB for a hot DB to reach before a roll to warm is triggered: maxDataSize = |auto|auto_high_volume,
Maximum hot buckets that can exist per index: maxHotBuckets = ,
The maximum size of homePath (which contains hot and warm buckets): homePath.maxDataSizeMB = ,
obviously remember that a bucket will be deleted when the latest event of the bucket will be out of retention period, so the earliest events of a bucket will remain online more than the retention period.