SPLUNK ARCHIVER APP ARCHIVE
If you want the indexer to archive the frozen data before erasing it from the index, you must specify that behavior. At this point, the indexer erases the data from the index. This can happen for a number of reasons, as described in Set a retirement and archiving policy. Eventually, data is aged into the cold database $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb.įinally, data reaches the frozen state. It then moves to the warm database, also located as subdirectories under $SPLUNK_HOME/var/lib/splunk/defaultdb/db. Data starts out in the hot database, located as subdirectories (" buckets") under $SPLUNK_HOME/var/lib/splunk/defaultdb/db/.
Data moves through several stages, which correspond to file directory locations. The indexer rotates old data out of the index based on your data retirement policy, as described in Set a retirement and archiving policy. For information on editing nf, see Configure index storage. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in nf.įor detailed information on data storage, see How the indexer stores indexes. If you need to keep the data around, you must configure the indexer to archive the data before removing it. It removes the data from the index at the moment it becomes frozen. To do this, you configure nf.Ĭaution: By default, the indexer deletes all frozen data. You can configure the indexer to archive your data automatically as it ages specifically, at the point when it rolls to "frozen". See Configure data retention for SmartStore indexes. Note: Although SmartStore indexes do not usually contain cold buckets, you still use the attributes described here ( coldToFrozenDir and coldToFrozenScript) to archive SmartStore buckets as they roll directly from warm to frozen.
0 kommentar(er)
