Hey Esix, Thanks for reply-
No, I do not have a clustered indexes environment, But i have a app naming strategy in place.
All my apps are listed under $SPLUNK_HOME/etc/apps/. The individual indexes.conf are placed under each apps like $SPLUNK_HOME/etc/apps/app-name/local/indexes.conf.
So, As i mentioned in my question, i have app name called "bod_accesses" and i have set the below settings in $splunk_home$/etc/apps/index-bod_access/local/indexes.conf
[bod_access]
coldPath = $SPLUNK_DB/bod_access/colddb
homePath = $SPLUNK_DB/bod_access/db
thawedPath = $SPLUNK_DB/bod_access/thaweddb
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair = 1
enableTsidxReduction = 1
minHotIdleSecsBeforeForceRoll = 0
rtRouterQueueSize =
rtRouterThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1
timePeriodInSecBeforeTsidxReduction = 345600
frozenTimePeriodInSecs = 31540000
maxTotalDataSizeMB = 50000
Now, after i restated the splunk services, How do i make sure i have only 1 year events in HOT DB and rest of events in COLD DB.
Secondly , The HOT DB folder become empty after restart. Before there was Latest event are 3 years and now this is blank. Where does data went? is that deleted since i did not mentioned frozed db path in settings?
I need here to set as HOT/WARM DB as 1 year and rest should go to cold DB then after 3 months this must roll to FREEZ bucket.
-Thanks
... View more