In a test environment (two indexers, one SH, one cluster master/deployment server) I froze any data that was older than half a day.
Indexes.conf:
[endor]
repFactor = auto
homePath = $SPLUNK_DB\endor\db
coldPath = $SPLUNK_DB\endor\colddb
thawedPath = $SPLUNK_DB\endor\thaweddb
maxWarmDBCount = 2
maxDataSize = auto_high_volume
frozenTimePeriodInSecs = 43200
coldToFrozenDir = $SPLUNK_HOME\Archive\endor
Then I used the rebuild method on both indexers following directions here: [docs.splunk.com/Documentation/Splunk/6.3.1/Indexer/Restorearchiveddata][1]
The rebuild did not restore all of the data and only allows me to search back to December 17th, prior to the frozen bucket configuration the data went back to April 2014ish.
[1]: http://docs.splunk.com/Documentation/Splunk/6.3.1/Indexer/Restorearchiveddata
↧