I am fairly new to splunk and have been trying to piece together my understanding of things via the numerous answers in the splunk knowledge base. However at this point in time I'm honestly clueless on how to fix this issue:
I have a sizeable block of old logs (100+ GB) going back about two to three years. After noticing that these old logs were not being archived I began consulting the KBs to find a solution.
So far my understanding is as follows:
1. To instruct splunk to archive files automatically, you need to give the index two things to reference:
a. coldToFrozenDir = this is a location where splunk will toss cold logs, this is an archive for frozen logs that can be *thawed* should the need arise.
b. frozenTimePeriodInSecs= this is the length of time (in seconds) a log will sit before splunk sends it to the archive above.
With my very limited knowledge in mind here's what I THINK I need to do:
1. Stop splunk
2. Create a frozen directory here:
$SPLUNK_HOME\var\lib\splunk\defaultdb
3. Create a new conf file in the $SPLUNK_HOME\etc\system\local directory, including the new frozen directory as the *coldtofrozenDir*.
4. To test set *frozenTimePeriodInSecs* back, not quite to my goal but far enough to archive some of the oldest stuff.
5. Once these changes were save in my new conf file and start splunk
Is this accurate? If I adjust my index to include a cold-to-frozen directory, then specify a limit to the age of my logs, will this help me clear out some of my older stuff without deleting anything?
Once files appear in the frozen directory to retrieve them do I simply:
1. Copy from frozen to thawed
2. navigate to the CLI and run the splunk rebuild command?
I realize many of these questions may seem a bit simple but I really could use a bit of info on how to solve this.
↧