Hi @BRFZ Configure the index in indexes.conf as follows to enforce your requirements: Set frozenTimePeriodInSecs to 86400 (24 hours). Set maxWarmDBCount to a low value and maxHotSpanSecs to 4320...
See more...
Hi @BRFZ Configure the index in indexes.conf as follows to enforce your requirements: Set frozenTimePeriodInSecs to 86400 (24 hours). Set maxWarmDBCount to a low value and maxHotSpanSecs to 43200 (12 hours) so that buckets roll to warm quickly. Set maxWarmDBCount, maxDataSize, or other thresholds to force buckets to cold after 12 hours. Configure a coldToFrozenDir to archive (not delete) after cold. Try this as an example indexes.conf: [test]
homePath = $SPLUNK_DB/test/db
coldPath = $SPLUNK_DB/test/colddb
thawedPath = $SPLUNK_DB/test/thaweddb
# set bucket max age to 12h (hot→warm)
maxHotSpanSecs = 43200
# default size, can reduce for faster bucket rolling #
maxDataSize = auto
# keep small number of warm buckets, moves oldest to cold #
maxWarmDBCount = 1
# total retention 24h
frozenTimePeriodInSecs = 86400
# archive to this path, not delete
coldToFrozenDir = /archive/test With this setup, data will move from hot→warm after 12h (due to maxHotSpanSecs), and oldest warm buckets will be rolled to cold (enforced by low maxWarmDBCount). Data will be kept for 24h in total before being archived. The number of buckets (maxWarmDBCount, etc.) should be kept low to ensure data moves through states quickly for such a short retention. Splunk is optimised for longer retention; very short retention and frequent bucket transitions can increase management overhead, its generally advised to not have small buckets due to this however due to the small retention period you shouldnt end up with too many buckets here? Other things to remember: If you use coldToFrozenDir, ensure permissions and disk space are sufficient at the archive destination. Test carefully, as low maxWarmDBCount and short maxHotSpanSecs may result in more buckets than usual and performance impacts. If you want to restore archived data, it must be manually thawed. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing