Configure Spunk Hot/Warm, Cold and Frozen

erlindemberg · ‎01-09-2020

How do I configure HOT / WARM, COULD, and FROZEN in Splunk Enterpise?

I need to configure Splunk Data Retention and which folder and file to make sure of this setting.

The settings I need to provide for Splunk. My Splunk version is 7.2

Hot / Warm = 14 days
Could = 60 days
Frozen = 11 months

Can you help me with this setting?

richgalloway · ‎01-10-2020

Buckets roll when they reach a certain size or when the reach a certain age, whichever happens first. To make time the only factor, you must set the size limit high enough that it is no longer a factor. It helps if your hot buckets are configured so they contain only a single day of data.

Frozen buckets are not managed by Splunk. You control when they are deleted (using cron, etc.).

---
If this reply helps you, Karma would be appreciated.

jarizeloyola · ‎01-09-2020

You cannot set time retention on hot or warm buckets, it rolls once a certain limit is reached.

This links will help you set that up and understand the Splunk Data life cycle
https://wiki.splunk.com/Deploy:BucketRotationAndRetention
https://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Configureindexstorage
https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-...

Configure Spunk Hot/Warm, Cold and Frozen

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!