Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Moving data in indexers (clustered environment) to frozen bucket

cirkit1
Explorer
‎05-01-2014 09:22 AM

Have a clustered environment of 3 indexers. Data in the indexers was used to test full architecture capability.

dont need the data anymore in the indexers as would like to start off with clean slate on indexers.

Would like to move existing data to a frozen bucket, as we been told repeatedly it is not a good idea to delete indexer data.

Looking for recommendation on best path and feasibility.

Tags (3)
Reply

lguinn2
Legend
‎05-03-2014 02:45 AM

You could do it this way:

  1. Make sure that no inputs.conf is sending data to that index. Generally, it is okay to downsize an index while it is still being used, but the settings you will use here are pretty extreme. And you are deleting the index in the last step.
  2. Make sure that you have specified a coldToFrozenDir - it can be anywhere that you like
  3. Set the frozenTimePeriodInSecs to a small value like 86400 (1 day).
  4. Wait until the time period is up.
  5. Use this search | dbinspect index=yourindex span=7d to check that you do not have any buckets with data in them. You should still have hot buckets, but the event count should be zero.
  6. Archive everything in the frozen directory.
  7. Delete the directory containing the index (its location is specified in indexes.conf)

  8. Delete the index stanza from indexes.conf.

    [yourindex]
    ...
    frozenTimePeriodInSecs=86400
    coldToFrozenDir=/tmp/directoryforfrozenbuckets

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...