All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use shuttl to archive frozen data in local FS

alanwill
Explorer
‎12-03-2013 06:44 PM

I'm trying to implement shuttl in our day to day Splunk workflow and in setting it up, it looks like it would shuttl my cold data to the new frozen location, say S3. However I already have many terabytes of frozen data stored locally that I'd like to shuttl to S3, can I still use shuttl for this?

The idea would be to copy the existing local mounted SAN frozen archives to S3, then use the coldToFrozenScript from then on to move directly to S3.

How can I do this? Thanks,
alan

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎12-04-2013 11:25 AM

You could setup Shuttl and call its copy/freeze scripts manually.

Here's how you do it:
1. Install and configure Shuttl.
2. Start Splunk and make sure Shuttl is running by looking at the Shuttl dashboard.
3. call $SPLUNK_HOME/etc/apps/shuttl/bin/warmToColdScript.sh /absolute/path/to/bucket /absolute/path/to/bucket
And your buckets should now be copied.

And yes, I've written "/absolute/path/to/bucket" twice. That's because usually when you use that script, you want to move the bucket from Splunk's warm to cold directory.

Alternative: Use this modified script, placed in Shuttl's bin directory: https://gist.github.com/petterik/7793825
Call it with a single argument of the bucket's absolute path. Installing, configuring and starting Shuttl is still needed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎12-04-2013 11:25 AM

You could setup Shuttl and call its copy/freeze scripts manually.

Here's how you do it:
1. Install and configure Shuttl.
2. Start Splunk and make sure Shuttl is running by looking at the Shuttl dashboard.
3. call $SPLUNK_HOME/etc/apps/shuttl/bin/warmToColdScript.sh /absolute/path/to/bucket /absolute/path/to/bucket
And your buckets should now be copied.

And yes, I've written "/absolute/path/to/bucket" twice. That's because usually when you use that script, you want to move the bucket from Splunk's warm to cold directory.

Alternative: Use this modified script, placed in Shuttl's bin directory: https://gist.github.com/petterik/7793825
Call it with a single argument of the bucket's absolute path. Installing, configuring and starting Shuttl is still needed.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...