repFactor = auto
homePath = volume:home/indexname/db
coldPath = volume:SAN/indexname/colddb
thawedPath = $SPLUNK_THAW_VOL/indexname/thaweddb
# the max settings are copied from main's default max settings
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume
homePath.maxDataSizeMB = 409600
coldPath.maxDataSizeMB = 1536000
maxTotalDataSizeMB = 1945600
# maxTotalDataSizeMB = ?
# keep logs for 90 days
frozenTimePeriodInSecs = 7776000
The logs seem to be rolling from cold to frozen at around 60 days, all but one or two source types (so when I search back to between 60 and 90 days I only see one or two sourcetypes when there should exist over 20).
The coldpath limit isn't even close to being hit on this index. I implemented this index configuration at the beginning of the year so it should be keeping the data for 90 day periods, yet it's throwing them out before. Are there other areas that can trigger a rolling from cold to frozen? We have plenty of space on the drives as well.
↧