Do I need to define coldToFrozenDir in indexes.con...

sim_tcr · ‎07-08-2016

Hello,

Our indexer is getting full because of lot of old colddb data. I am checking the option of coldToFrozenDir and then delete the contents inside coldToFrozenDir. Right now I don't see any folder called frozendb in my indexer.
Should I also define coldToFrozenDir = $SPLUNK_COLD_DB/fens/frozendb to get older data moved there?

Below is sample from our indexes.conf

[fens]
repFactor=auto
homePath = $SPLUNK_DB/fens/db
coldPath = $SPLUNK_COLD_DB/fens/colddb
thawedPath = $SPLUNK_DB/fens/thaweddb
maxWarmDBCount = 10
frozenTimePeriodInSecs = 2592000
maxDataSize = auto_high_volume
# this index will exceed the default of .5TB requiring a change to maxTotalDataSizeMB
maxTotalDataSizeMB = 1100000

jkat54 · ‎07-08-2016

By default "freezing data" is synonymous with "deleting data" in Splunk.

There is no need for a coldToFrozenDir if you really just want to delete the data.

If you want to keep the data for some time before manually deleting it, then yes you will set coldToFrozenDir in indexes.conf but you would probably want it somewhere else like /mnt/externalstorage/old_data_to_be_deleted_here/.

Give this article a careful read:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/HowSplunkstoresindexes

Do I need to define coldToFrozenDir in indexes.conf to move old colddb data to before deletion?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability