Monitoring Splunk

What is the best practice for moving frozen data into a bigger disk without losing any data?

saurabh0912
Path Finder

Hi,
We are reaching 100% of disk space for frozen data.
I wanted to know how can we move data to a bigger disk without turning off Splunkindexers?

Labels (2)
0 Karma
1 Solution

nickhills
Ultra Champion

Frozen data is invisible to Splunk.

You can just move it to a new location without any additional process.

Splunk only tracks Hot/Warm, Cold, and thawed data.
Frozen data is essentially considered "offline" or "archived" - Its up to you how you manage it.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Frozen data is invisible to Splunk.

You can just move it to a new location without any additional process.

Splunk only tracks Hot/Warm, Cold, and thawed data.
Frozen data is essentially considered "offline" or "archived" - Its up to you how you manage it.

If my comment helps, please give it a thumbs up!

saurabh0912
Path Finder

I will be swapping disks, therefore for brief time there won't be any disk available to splunk for frozen data. Will it cause any issue if Splunk couldn't find the disk to place the frozen data for some time.

0 Karma

nickhills
Ultra Champion

No - If the frozen path is not available, buckets will not move to the frozen path.

You do not want to keep it in this condition for too long, but once the frozen volume is mounted, freezing will resume from where it left off.

See: https://answers.splunk.com/answers/287056/if-my-coldtofrozendir-is-full-or-unavailable-do-i.html

If my comment helps, please give it a thumbs up!

saurabh0912
Path Finder

Got it.
if i have to keep this in long(2-3 days) condition, should I calculate the data ingestion per day and add that much disk space to colddata disk as temp solution?

0 Karma

nickhills
Ultra Champion

It depends how much data you have that will roll from cold to frozen in that time.

You could look at the files in your frozen dir with a modified time in the last 3 days, and add up the total size on disk for a total. This would give you an estimate based on history.

However, if your daily ingest is 10Gb a day, you would probably be pretty safe with some fag packet maths:

Daily ingest (10Gb) x 3 (days) + 30% = ~40Gb

If my comment helps, please give it a thumbs up!

saurabh0912
Path Finder

Thanks, will try same.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...