I am setting up a multisite cluster, and this is the first time I have messed with indexes away from defaults.
My goals:
All data must be kept for 5 years.
When a certain amount of data is in warm, roll it off to cold.
When any data meets the 5year mark, delete it.
#indexes.conf in my cluster config:
#global
#My data will stay in warm until it reaches 500GB
homePath.maxDataSizeMB = 500000
#My warm data will purge after 5.1 years from ingest date
homePath.frozenTimePeriodInSeconds = 160833600
#My data will stay in cold indefinitely
coldPath.maxDataSizeMB = 0
#My cold data will purge after 5.1 years from ingest date
coldPath.frozenTimePeriodInSeconds = 160833600
#define volumes
[volume:hot]
D:\splunk-hot
[volume:cold]
E:\splunk-cold
#indexes
[myindex]
repFactor = auto
homePath = volume:hot\myindex\db
homePath = volume:cold\myindex\db
thawedPath = $SPLUNK_DB\myindex\db
Does this conf accomplish my index management goals?
I am a little uncertain on the "homePath.frozenTimePeriodInSeconds = 160833600" line -- does this really dump the data straight from warm to frozen?
↧
