Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue trying to archive Splunk data

uayub
Path Finder
‎03-20-2013 10:46 AM

The following indexes.conf was created in the local directory (in Ubuntu).

index specific defaults

maxDataSize = 90000
maxHotSpanSecs = 7776000
maxWarmDBCount = 2
frozenTimePeriodInSecs = 86400
coldToFrozenDir = /opt/splunk/var/lib/splunk/defaultdb/frozendb

The expectection was that the Hot bucket would keep 90 GB of data (which would be around 90 days) before moving it to Warm (either via time or size). There would be just 2 Warm buckets (around 6 months of data). As soon as another Hot buckeet would roll to Warm, the old Warm bucket would move to Cold. And stay over here for at least 24 hours.

But as soon as the above change was implemented adn Splunk daemon restarted, I could perform a Search just for a day. All the data was moved to the Frozen folder.

Questions:
1) why did this happen? Supposedly 6 months of data should have been in Hot+Warm buckets.
2) Main goal was to keep 180 days of data in Hot+Warm and I should be able to search 1 year of data (for PCI).
3) If I were to restore my data from the Frozen folder, is there a way to restore multiple files at at time? I found an article which shows how to restore 1 file at a time.

Thanks

UA

Tags (1)
0 Karma
Reply

bmacias84
Champion
‎03-20-2013 11:12 AM

Hello @uayub,

Keep in mind that those are not the only settings. is your maxDataSize Greater than maxTotalDataSizeMB. Not quite sure why you are secifying maxWarmDBCount. I use the default maxWarmDBCount for preformance reasons.

  1. maxTotalDataSizeMB (default is 500GB)
  2. Did you set maxHotIdleSecs (should be zero)
  3. But the Culprit seems to be your frozenTimePeriodInSecs = 86400

frozenTimePeriodInSecs will move every event in the DB (INDEX) older than value set and will be frozen when splunkd checks in based on rotatePeroidInSecs attribute. ReRead the indexes.conf on Splunk Base

Also use the btool for debugging your conf file. $SPLUNK_HOME/bin/splunk btool --debug indexese list. This will dump all your index .conf with which app is settings them.

Hope this help or gets you started. If this does dont forget to accept or vote up.

Cheers,

Reply

bmacias84
Champion
‎03-20-2013 01:53 PM

@uayub,
I see you voted up my answer and I hope it did. Would you mind accepting the anwser by clicking the checkmark? Thanks.

cheers

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...