Solved: If a cold to frozen script fails, what happens?

roychen · ‎01-21-2013

Hello,

In indexes.conf, we can specify a value for coldToFrozenScript, to run a specific script when cold buckets are rolled to frozen.

What happens if the script fails to execute, or returns an error code, etc, when a rolling of cold buckets to frozen is triggered?

Will the cold buckets be deleted in this case?

Thanks!

roychen · ‎01-22-2013

According to Splunk support, if the script to roll cold buckets to frozen fails to run, the cold buckets will not be deleted.

If these cold buckets are not deleted, and new incoming data would cause the index to exceed its configured size, Splunk will not delete the cold buckets to make room. Instead, the index will grow in size till the script is fixed.

View solution in original post

roychen · ‎01-22-2013

According to Splunk support, if the script to roll cold buckets to frozen fails to run, the cold buckets will not be deleted.

If these cold buckets are not deleted, and new incoming data would cause the index to exceed its configured size, Splunk will not delete the cold buckets to make room. Instead, the index will grow in size till the script is fixed.

the_wolverine · ‎06-24-2013

You can configure deletion by age AND by size. The condition that matches first will prevail. It is possible that the second condition will never match due to the first condition.

chimbudp · ‎06-24-2013

If we had set the limit of index to a particular smaller value (say 100MB),Will Splunk overrides the value to auto and make the index size to grow ?

If a cold to frozen script fails, what happens?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases