Keith: two questions from the documentation that you quote

1) "Note the following if you are using Hunk's coldToFrozenSh.script"

That should probably be coldToFrozen.sh script

2) "All the search peers to the Hunk search head must have the script installed as well. You can do each peer manually or use the deployer for search head clusters. See Configure search head clustering."

I see the binary on my indexers in /opt/splunk/etc/apps/splunk_archiver/bin so I don't need to do anything right? Doesn't that script come with Splunk 6.3 and greater?

Thanks Becky! I believe you are correct on both counts. I'm bringing this to the attention of our Documentation team.

And a third question.. we add this line to the _archive index stanza not the index stanza without the _archive. Correct?

coldToFrozenScript = "$SPLUNK_HOME/etc/apps/splunk_archiver/bin/coldToFrozen.sh"

On this one, I believe the documentation is correct as it stands. We want to change the behavior of the original index, so that it does not delete its buckets when they roll to frozen. We don't need to change the behavior of the archiving index--it already knows to look for renamed buckets if they are there.

The coldToFrozenScript property is actually a generalized mechanism that you can use without archiving. For instance, if you want to write a script that encrypts old buckets and transfers them via scp to another system, you trigger that script with this property. There is more information about it in the spec for the indexes.conf file:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

Okay so we only add the line to the indexers indexes.conf stanza for those indexes that we are archiving. And not to foo_archive, just foo.

coldToFrozenScript = "$SPLUNK_HOME/etc/apps/splunk_archiver/bin/coldToFrozen.sh"

Somehow I missed this and thought it was to the search head.