I'm trying to "freeze" these buckets, as described in Archive indexed data, and I'm seeing some confusing behavior from Splunk.
By "Freezing" buckets I mean:
I've set my frozen directory to /misc/cloud2/splunk/freezer/accumulating/
, and buckets are being moved there. That is great!
However several buckets with the identical timestamp range are getting frozen there. Why?
The problem is, the buckets shown, in a single index, represent the same time span.
It seems very likely the data is being duplicated.
But the newer buckets are always bigger.
Questions
More details
Note the increasing sequence numbers are associated with increasing journal.gz
sizes.
Here's a sample set of 3 duplicate timestamp ranges:
splunk@nursery-splunkindex-1001:~$ ls -d /misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399*
/misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399_1456930800_1238
/misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399_1456930800_1982
/misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399_1456930800_803
Here's the journals getting progressively larger:
splunk@nursery-splunkindex-1001:~$ ls -l /misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399*/rawdata/journal.gz
-rw------- 1 splunk splunk 1287 Apr 3 18:53 /misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399_1456930800_1238/rawdata/journal.gz
-rw------- 1 splunk splunk 1566 Apr 3 18:59 /misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399_1456930800_1982/rawdata/journal.gz
-rw------- 1 splunk splunk 651 Apr 3 18:51 /misc/cloud2/splunk/freezer/accumulating/service_public/db_1456934399_1456930800_803/rawdata/journal.gz
It was the Splunk App forAWS -- http://docs.splunk.com/Documentation/AddOns/latest/AWS/Description
How to fix?
Unfortunately, it isn't clear what you are trying to do and how. Can you please elaborate?
Sure. I'm trying to "freeze" these buckets, as described in Archive indexed data
In short this means
The problem is, the buckets shown, in a single index, represent the same time span.
It seems very likely the data is being duplicated.
But the newer buckets are always bigger.