Recently, I discovered that although the Splunk documentation indicates that colddb can be on slower storage, doing so has a performance impact on normal indexing processes because of the need to roll data from warm to colddbs. In my environment, I was able to reduce index blocking by putting colddbs on faster disk. My question, then is can rolling from warm to cold be done on a schedule, say, nightly, instead of dynamically. So, ideally, instead of constantly rolling data to cold, we would roll the oldest FULL Days data to cold, in a first in/first out manner.
Possible? Anyone doing this?
... View more