Automate archiving

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Use Splunk's index aging policy to archive

Automate archiving

Set up Splunk to archive your data automatically as it ages. To do this, configure indexes.conf to call archiving scripts located in $SPLUNK_HOME/bin. Edit this file in $SPLUNK_HOME/etc/system/local/, or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work. Do not edit the copy in default.

Note: By default, Splunk deletes ALL frozen data. To avoid losing your data, you must specify a valid coldToFrozenScript in $SPLUNK_HOME/etc/system/local/indexes.conf (or your own custom app directory in $SPLUNK_HOME/etc/apps/).

Use Splunk's index aging policy to archive

Splunk rotates old data out of the index based on your data retirement policy. Data moves through several stages, which correspond to file directory locations. Data starts out in the hot database $SPLUNK_HOME/var/lib/splunk/defaultdb/db/db_hot. Then, data moves through the warm database $SPLUNK_HOME/var/lib/splunk/defaultdb/db. Eventually, data is aged into the cold database $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb.

Finally, data reaches the frozen state. Splunk erases frozen index data once it is older than frozenTimePeriodinSecs in indexes.conf. The coldToFrozenScript (also specified in indexes.conf) runs just before the frozen data is erased. The default script simply writes the name of the directory being retired, e.g. /opt/splunk/var/lib/splunk/defaultdb/colddb, to the log file $SPLUNK_HOME/var/log/splunk/splunkd_stdout.log.

Add the following to $SPLUNK_HOME/etc/system/local/indexes.conf:

[<index>]
coldToFrozenScript = <script>

[<index>]
- Specify which index to archive.
coldToFrozenScript = <script>
- Specify the archiving script to use by changing <script>.
- Define <$script> paths relative to splunk/bin.
- Splunk ships with two default archiving scripts that you can use.
- Note: Rename and then modify these scripts to set the archive location for your installation. By default, the location is set to opt/tmp/myarchive.
- compressedExport.sh: Export with tsidx files compressed as gz.
- flatfileExport.sh: Export as a flat text file.

Note: Either rename the script you use or move it to another location (and specify that location in indexes.conf) to avoid having changes overwritten when you upgrade Splunk.

Windows users use this notation: coldToFrozenScript = <script> "$DIR"
- <script> can be either:
- compressedExport.bat (download the script here).
- flatfileExport.bat (download the script here).

Note: Either rename the script you use or move it to another location (and specify that location in indexes.conf) to avoid having changes overwritten when you upgrade Splunk.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.1/Admin/AutomateArchiving"

« Set a retirement and archiving policy Restore archived data »

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Automate archiving

Contents

Automate archiving

Use Splunk's index aging policy to archive

Comments