This will archive indexed data in Splunk instead of deleting it. If you specify a script in the coldToFrozenScript attribute, it will run just before the indexer deletes data that reaches the frozen state.
For buckets created in versions pre 4.2, the scripts in buckets. For buckets created in version 4.2 and onwards, the indexer will delete all data except for the rawdata file. How the indexer archives the frozen data will depend on what release the data was originally indexed. How the indexer archives the data for you If you choose not to specify either attribute, the indexer runs a default script by writing the name of the bucket being erased to the log file $SPLUNK_HOME/var/log/splunk/splunkd_stdout.log following which, the bucket is erased. However, if you set both, the coldToFrozenDir attribute takes precedence over coldToFrozenScript. You can only set one of the above two attributes. By specifying a valid coldToFrozenScript attribute where the indexer will run a user-supplied script when the data is frozen.By setting the coldToFrozenDir attribute where you specify the location where the index will automatically archive the frozen data.If you want to archive the data instead, you can let the indexer archive the data automatically or you have the choice to specify a customized archiving script for the indexer to follow. So how do you archive indexed data in Splunk Enterprise? Well, read on….ĭepending on how you’ve set your data retirement and archiving policy, data reaches the frozen state where the indexer deletes the data. Archived data has no default location and you may archive data into a directory location of your choice. In the frozen stage, data is either archived or deleted after a set period of time. In the last blog, we covered how data ages in Splunk Enterprise through different stages. Specialty of Service-oriented Architecture.
0 kommentar(er)
