I am fairly limited knowledge on buckets. I have one single storage drive available to me of 2 TB. And the retention policy is 18 months. The Splunk indexer is capturing the Windows logs and data volume is roughly 2-3 Gb per day.
Can I have only Hot and Cold bucket, or do we need Warm bucket as well?
Can I have Hot, Warm and Cold buckets in the same data partition?
Where do I define the folder for buckets (Ex: Z:/...../Hot, Z:/...../Warm, Z:/...../Cold) ?
What is the time duration for which data will remain in hot bucket and Warm Bucket before it gets rolled off (Can I define 1 Week for Hot, 90 Days for Warm and 18 Months for Cold, after that it can be purged) ?
What all entries I need to make in indexes.conf to achieve this so that my data doesn’t get deleted before the retention date?
Can we backup the hot bucket too without taking them offline?
... View more