https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365163#M1068 <P>Thank you Marian, you've been very helpful.</P> Fri, 27 Apr 2018 10:44:25 GMT davidbien 2018-04-27T10:44:25Z https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365159#M1064 <P>Hi,<BR /> I have setup Splunk to receive syslogs from our network. These work fine and I can view them in Splunk.<BR /> Next step I want to take is to send those logs to logz.io to keep them in cloud. The problem I have is that I don't know where the data collected by Splunk is stored. Where can i find the logs collected by Splunk? What format is it in? </P> <P>Thanks.</P> Thu, 26 Apr 2018 14:27:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365159#M1064 davidbien 2018-04-26T14:27:09Z https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365160#M1065 <P>Hi, <BR /> Splunk logs are collected in buckets (hot, warm, cold, frozen, thawed) and depending on the environment settings they follow the process of roll out from hot -&gt; warm -&gt; cold. It has an entire process for this and you could better have a look here for more details:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/HowSplunkstoresindexes" target="_blank">http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/HowSplunkstoresindexes</A></P> <P>One note here is that hot buckets (most recent data) is in active writing stage, so you can't backup/move that data until in reaches warm stage.</P> <P>If you want to sent those logs to cloud, for archiving purposes, you could copy the relevant archives to the cloud and you will be able later to bring them back to thawed and search them. To find out the buckets you need to backup you could use in search | dbinspect <BR /> to identify them. Location is usually in $SPLUNK_HOME/var/lib/splunk/your_index/db/ but cold data can be moved to an external storage (other Volume).</P> <P>| dbinspect index=your_index<BR /> | table bucketId, startEpoch, endEpoch, id, index, modTime, path, sizeOnDiskMB, splunk_server, state</P> <P>Regards</P> Tue, 29 Sep 2020 19:15:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365160#M1065 marian_coman 2020-09-29T19:15:55Z https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365161#M1066 <P>Thank you for your answer, Marian.<BR /> Is it possible to send the logs in a human readable format to cloud? Or would I need to use Splunk every time I want to read them again?</P> Fri, 27 Apr 2018 09:11:39 GMT https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365161#M1066 davidbien 2018-04-27T09:11:39Z https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365162#M1067 <P>The logs (Splunk db - tsidx) are not human readable, they're Splunk proprietary format. You'll have to re-index them to Splunk to be able to query them. </P> Fri, 27 Apr 2018 10:40:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365162#M1067 marian_coman 2018-04-27T10:40:35Z https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365163#M1068 <P>Thank you Marian, you've been very helpful.</P> Fri, 27 Apr 2018 10:44:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/Data-location-to-send-to-a-remote-server/m-p/365163#M1068 davidbien 2018-04-27T10:44:25Z