https://community.splunk.com/t5/Getting-Data-In/How-to-thaw-data-from-frozen-back-into-splunk/m-p/462354#M79792 <P>1) This, perhaps, is the hardest part of thawing data. I'll assume you saved frozen buckets in a manner that preserved the index name and the bucket name <CODE>($SPLUNK_DB/&lt;index&gt;/db_&lt;bucket&gt;)</CODE>. If you didn't do that then I don't know how to help you.<BR /> Bucket names contain the timestamps of the oldest and newest events in them so it's just a matter of converting your time frame into epoch form and looking for buckets that timestamps in that range.</P> <P>2) Yes. How much of an effect depends on how busy the indexer is and how much data is being thawed. You'll also need to restart the indexer so that's a performance impact.</P> <P>3) Splunk's docs (<A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Restorearchiveddata#Clustered_data_thawing">https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Restorearchiveddata#Clustered_data_thawing</A>) recommend putting thawed buckets back on the indexer they came from, so yes.</P> <P>4) The cluster will now have new buckets to track, but the effect should be negligible.</P> <P>5) No</P> <P>6) Only if you don't have storage for the thawed buckets</P> <P>7) When you're finished with the buckets you delete them. Frozen and thawed buckets are not managed by Splunk.</P> Wed, 05 Feb 2020 21:13:03 GMT richgalloway 2020-02-05T21:13:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-thaw-data-from-frozen-back-into-splunk/m-p/462353#M79791 <P>Hi,</P> <P>We have requirement where we were asked to retrieve 3 month old data from frozen state into splunk.<BR /> We need inputs for:-<BR /> 1) How to identify the buckets inside frozen data for that particular index and that time frame?<BR /> 2) Will there be impact on indexer performance while thawing the data?<BR /> 3)Do I need to thaw data on every indexer in cluster?<BR /> 4)What would be it's impact on cluster.<BR /> 5)Will it cost on license?<BR /> 6)Do i have to attach disk on every indexers for thawing data? <BR /> 7) How will it go back to frozen state</P> <P>Thanks <BR /> Saurabh</P> Wed, 05 Feb 2020 18:03:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-thaw-data-from-frozen-back-into-splunk/m-p/462353#M79791 saurabh0912 2020-02-05T18:03:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-thaw-data-from-frozen-back-into-splunk/m-p/462354#M79792 <P>1) This, perhaps, is the hardest part of thawing data. I'll assume you saved frozen buckets in a manner that preserved the index name and the bucket name <CODE>($SPLUNK_DB/&lt;index&gt;/db_&lt;bucket&gt;)</CODE>. If you didn't do that then I don't know how to help you.<BR /> Bucket names contain the timestamps of the oldest and newest events in them so it's just a matter of converting your time frame into epoch form and looking for buckets that timestamps in that range.</P> <P>2) Yes. How much of an effect depends on how busy the indexer is and how much data is being thawed. You'll also need to restart the indexer so that's a performance impact.</P> <P>3) Splunk's docs (<A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Restorearchiveddata#Clustered_data_thawing">https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Restorearchiveddata#Clustered_data_thawing</A>) recommend putting thawed buckets back on the indexer they came from, so yes.</P> <P>4) The cluster will now have new buckets to track, but the effect should be negligible.</P> <P>5) No</P> <P>6) Only if you don't have storage for the thawed buckets</P> <P>7) When you're finished with the buckets you delete them. Frozen and thawed buckets are not managed by Splunk.</P> Wed, 05 Feb 2020 21:13:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-thaw-data-from-frozen-back-into-splunk/m-p/462354#M79792 richgalloway 2020-02-05T21:13:03Z