Getting Data In

Archiving all indexes after 1 year

heathramos
Path Finder

I am trying to set up archiving but I can't seem to get it working.

From the docs I've read, I thought I just need to create a indexes.conf file, place it within system/local and include a line referring to coldToFrozenDir and frozenTimePeriodInSecs .

I tried that for one index and if I restart Splunk, the service won't start back up again unless I delete that file.

How exactly do I set this up?

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

If Splunk doesn't restart because of indexes.conf issues, it should give you some error messages in $SPLUNK_HOME\var\run\splunk\splunkd.log during startup (given your example, I am assuming you are running on Windows)
It would be helpful to see what is being logged.

My best guess is the quotes in your directory, which probably prevent resolution of the env. variable.

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

If Splunk doesn't restart because of indexes.conf issues, it should give you some error messages in $SPLUNK_HOME\var\run\splunk\splunkd.log during startup (given your example, I am assuming you are running on Windows)
It would be helpful to see what is being logged.

My best guess is the quotes in your directory, which probably prevent resolution of the env. variable.

0 Karma

heathramos
Path Finder

changed the path and restarted splunk

got the following error:

ERROR loader - Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index 'windows': path of coldToFrozenDir must be absolute ('"d:\Splunk_Archive\windows"')

0 Karma

heathramos
Path Finder

looks like getting rid of the quotes completely worked

thanks

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Thank you for closing the loop!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

It may be crashing due to wrong configs (indexes.conf is an important configuration file). Make sure you update the config file correctly. See this links for details on those properties.
https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Setaretirementandarchivingpolicy
https://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Automatearchiving

0 Karma

heathramos
Path Finder

What should be in that config file?

My file contains the following:

[windows]
coldToFrozenDir = "$SPLUNK_DB\windows\frozendb"
frozenTimePeriodInSecs = 31536000

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try putting hardcoded path (full path) in coldToFrozenDir attribute.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...