Looking at new 6.5 Hadoop data roll feature - will the bucket reader be able to read this data? Also, would it be possible to export the "raw data", but keep the tstats?
Yes, the bucket reader will work on the journal.gz (raw data) that you copy from Splunk 6.5 indexers.
When you copy the journal.gz from Splunk indexers to HDFS you only copy the journal.gz and not the TSIDX files. The TSIDX files stay in the Splunk indexers. The key point is that the Hadoop Data Roll feature only copy these files to HDFS and does not delete them from Splunk.
Yes, the bucket reader will work on the journal.gz (raw data) that you copy from Splunk 6.5 indexers.
When you copy the journal.gz from Splunk indexers to HDFS you only copy the journal.gz and not the TSIDX files. The TSIDX files stay in the Splunk indexers. The key point is that the Hadoop Data Roll feature only copy these files to HDFS and does not delete them from Splunk.
Acceptable answer @a212830?
Anyone?...
AFAIK, you can't keep the tstats while removing the raw data. I don't think I understand what you mean by "bucket reader"...
Thanks. I'm wondering if this app will work on the exported data - https://splunkbase.splunk.com/app/2759/ - for those crazy, non-Splunk people...
Ah. Didn't realize you were referring to an app with "Bucket Reader". I've tagged your question with that app so the author is linked.