You can easily move it from Hot to Warm by either restarting Splunk (all hot rolls to warm) or changing the following entry in indexes.conf for the stanza matching this index :
To move the data from Warm to Cold you'll need to reduce the size of the index so all buckets will roll from Warm to Cold.
So... find the indexes.conf definition
temporarily change (or add) this value
Everything will roll to cold if there is data still coming in. You could probably set both of them to 0 (although I've never tried it) but that seems like a runaway train...
The point is, you're using the settings on your index to force the data to roll out of hot and warm and into cold. This is of course if you still have data flowing in.
Keep in mind, as I said at the top, when you stop Splunk, all hot buckets will roll to warm. So if there is only one warm bucket, and data still flowing in... everything ends up in cold... quickly.
Thank you for your guidance, Can you please tell me the parameters which I need to change to get the data in cold bucket from hot bucket???
swati_sharma: I changed the answer so it reflects the correct directive.
Basically, you are forcing the data to pass thru by reducing the buckets. Assuming you have data still flowing through, setting the 'bucket size' in both hot and warm to 1 will cause the data to quickly flow to cold.
All of this is documented as mentioned above.
I have tried with the given settings by you i.e maxHotBucket=1 and maxTotalDataSizeMB=0, However still I am not getting in the cold bucket, The behaviour is data directly move to the frozen bucket form hot bucket.
You're right. I've edited my answer... check out the indexes.conf doc.
the size directive governed the entire index... so put that back where it was. (mea culpa)
if you reduce the number of hot buckets, and then also the number of warm buckets, your stuff will have nowhere to go but cold.