Re: Archiving frozen data to network drive

sudhir7 · ‎01-08-2019

I am trying to archive data to the network drive, I have following stanza in my indexes.conf file.

[indexName]
frozenTimePeriodInSecs = 31622400
coldToFrozenDir = \\netwotkDrive\splunk\indexName\frozendb

This setting is not working for me.
Has anyone else faced a similar situation? Are there any configurational settings I am missing?

suamme1 · ‎10-09-2019

I wasn't able to get this to work directly to a network folder as you posted. If you are still working on it, I ended up configuring a folder on each indexer that is a NTFS junction to a remote file share. This way, the splunk service writes as if it is a local file and NTFS takes care of the rest. I'm not sure if it's a supported solution, but my low-volume cluster has been running like this for several years with no apparent issues.

One thing to note with an indexer cluster is to point the junction to a different folder within the share for each machine to avoid naming collisions (IndexerA's junction should point to \server\share\indexerA and IndexerB's to \server\share\indexerB or some similar scheme).

dkeck · ‎01-08-2019

Hi,

did you restart after changing this?

sudhir7 · ‎01-09-2019

@dkeck Yes.

Archiving frozen data to network drive

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?