Using Splunk Enterprise 6.4.1 on linux. Hot/warm/cold are all on the same partition. All data should be deleted after 45 days, but searchable for the entire 45 days. Is there a formula of some sort that I can apply to figure out the proper setting for each of my 3 indexes? The data is stored in 3 separate indexes to facilitate access control via splunk roles. The average event size is 1615 bytes.
Index 1 receives an average of 1.2 million events per day (1,200,000 * 1615 = 1848M/day)
Index 2 receives an average of 10-20 events per day. (10 * 1615 = .0154M/day)
Index 3 receives an average of 28,000 events per day (28,000 * 1615 = 44M/day)
I've got this to start, but I'm not sure how to get the warm buckets to roll to cold. It's my understanding that the frozenTimePeriodInSecs does not trigger unless the buckets are in cold state.
#receives ~1.2 million events per day
[index1]
maxHotBuckets=10
maxDataSize=auto
frozenTimePeriodInSecs=3888000
# receives ~ 10-20 events per day
[index2]
maxHotBuckets=10
maxDataSize=auto
frozenTimePeriodInSecs=3888000
maxHotIdleSecs=86400
#Receives ~28K events per day
[index3]
maxHotBuckets=10
maxDataSize=auto
frozenTimePeriodInSecs=3888000
I've read the [Wiki for Bucket Rotation][1] and [Wiki for Understanding Buckets][2] and I'm still not clear. Any insight you can provide would be greatly appreciated!
[1]: http://wiki.splunk.com/Deploy:BucketRotationAndRetention
[2]: http://wiki.splunk.com/Community:UnderstandingBuckets
↧