Security

How to set different frozen locations for each indexer on a distributed environment

arrangineni
Path Finder

We am trying to roll of the frozen data from three indexers to a NFS mount directory which contains three sub-directories with indexer names. Whenever I am trying to create new index and define the frozen path, need to manually define the coldToFrozenDir on each Indexers as they must be pointing to the sub-directories on the mounts instead of main directory.

Is there a an option within indexes.conf to get this automated so we can deploy using our DS?

IDX1: /abc/frozen/idx1
IDX2:/abc/frozen/idx2
IDX2:/abc/frozen/idx3

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

In indexes.conf, we have two options for rolling of frozen data, one is the coldToFrozenDir which you use here and other is coldToFrozenScript in which you define a script to move the buckets to be frozen. So, you can use that and your script can dynamically take the current host (which is the indexer where buckets are frozen) and create/add rolled bucket to respective directory in NFS.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Indexesconf

A sample (for reference) script can be found here:
https://answers.splunk.com/answers/338594/does-anyone-have-a-working-example-of-coldtofrozen.html

View solution in original post

0 Karma

nickhills
Ultra Champion

Its not in the docs, but have you tried using $HOSTNAME at the end of the path?

If my comment helps, please give it a thumbs up!
0 Karma

somesoni2
SplunkTrust
SplunkTrust

In indexes.conf, we have two options for rolling of frozen data, one is the coldToFrozenDir which you use here and other is coldToFrozenScript in which you define a script to move the buckets to be frozen. So, you can use that and your script can dynamically take the current host (which is the indexer where buckets are frozen) and create/add rolled bucket to respective directory in NFS.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Indexesconf

A sample (for reference) script can be found here:
https://answers.splunk.com/answers/338594/does-anyone-have-a-working-example-of-coldtofrozen.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...