How does data age in Splunk?

Splunk The data entering the indexer is stored in a directory called a bucket . As data ages , Buckets go through several stages ： heat 、 temperature 、 cold 、 frozen and thaw . as time goes on , Barrel from one stage “ rolling ” To the next stage .

• When data is first indexed , It will go into a Hot barrel . Hot buckets can be searched and actively written . An index can open multiple hot buckets at the same time
• When certain conditions occur （ for example , The hot storage bucket reaches a certain size or splunkd Restart ）, The hot storage bucket becomes Warm storage barrel （“ Scroll to warm ”）, And create a new hot storage bucket in its location . The warm bucket is searchable , But it will not actively write . There can be many warm buckets
• Once further conditions are met （ for example , The index reaches a certain maximum number of warm buckets ）, The indexer began rolling the warm buckets to... According to their age cold bucket . It always chooses the oldest warm bucket to roll to the cold . When aging in this way , The barrel will continue to cool
• After a while , The cold storage bucket will scroll to Frozen state , At this point they will be archived or deleted .

The bucket aging strategy determines when buckets move from one stage to the next , You can edit index.conf To modify .

Reference documents ：

Configure maximum index size - Splunk Documentation

You can also refer to my other blog: splunk index Parameter setting _shenghuiping2001 The blog of -CSDN Blog