Hello everybody, i need to connect an instance of Oracle OAM to Splunk. Do you have any suggestion on how to achieve this?   Thanks in advance.     ... View more

Hi all, i'm here to ask you some information about a current setting i found on an existing Splunk Index. In particular, this is the indexes.conf stanza related to the index A: [A] homePath = volume:primary/A/db coldPath = volume:secondary/A/colddb thawedPath = $SPLUNK_DB/A/thaweddb homePath.maxDataSizeMB = 15360 coldPath.maxDataSizeMB = 30720 maxWarmDBCount = 4294967295 frozenTimePeriodInSecs = 7776000 maxDataSize = auto coldToFrozenDir = /splunk/A/frozendb archiver.enableDataArchive = 0 bucketRebuildMemoryHint = 0 compressRawdata = 1 enableDataIntegrityControl = 0 enableOnlineBucketRepair = 1 enableTsidxReduction = 0 maxTotalDataSizeMB = 102400 minHotIdleSecsBeforeForceRoll = 0 rtRouterQueueSize = rtRouterThreads = selfStorageThreads = suspendHotRollByDeleteQuery = 0 syncMeta = 1 tsidxWritingLevel = enableDataIntegrityControl=true After checking bucket information via monitoring console, i have the following question: 1) Why there is a hot bucket related to the index A with with startEpoch 16 december and endEpoch 31 Dec, with size on disk 375MB ? It's related to the fact it does not hit neither size nor time (default maxhotspansec=90days) parameter to roll to warm? 2) if my requirement is to set 6 months of retention of this index, how can i be sure parameter frozenTimePeriodinSec act as expected? 3) I was thinking to set maxHotSpanSecs to 1 day for hot to warm, but what about rolling from warm to cold in a way i does not create any kind of problem with conf modification on existing data? Thanks in advance everyone. ... View more