All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use shuttl to archive frozen data in local FS

alanwill
Explorer
‎12-03-2013 06:44 PM

I'm trying to implement shuttl in our day to day Splunk workflow and in setting it up, it looks like it would shuttl my cold data to the new frozen location, say S3. However I already have many terabytes of frozen data stored locally that I'd like to shuttl to S3, can I still use shuttl for this?

The idea would be to copy the existing local mounted SAN frozen archives to S3, then use the coldToFrozenScript from then on to move directly to S3.

How can I do this? Thanks,
alan

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎12-04-2013 11:25 AM

You could setup Shuttl and call its copy/freeze scripts manually.

Here's how you do it:
1. Install and configure Shuttl.
2. Start Splunk and make sure Shuttl is running by looking at the Shuttl dashboard.
3. call $SPLUNK_HOME/etc/apps/shuttl/bin/warmToColdScript.sh /absolute/path/to/bucket /absolute/path/to/bucket
And your buckets should now be copied.

And yes, I've written "/absolute/path/to/bucket" twice. That's because usually when you use that script, you want to move the bucket from Splunk's warm to cold directory.

Alternative: Use this modified script, placed in Shuttl's bin directory: https://gist.github.com/petterik/7793825
Call it with a single argument of the bucket's absolute path. Installing, configuring and starting Shuttl is still needed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Petter_Eriksson
Splunk Employee
Splunk Employee
‎12-04-2013 11:25 AM

You could setup Shuttl and call its copy/freeze scripts manually.

Here's how you do it:
1. Install and configure Shuttl.
2. Start Splunk and make sure Shuttl is running by looking at the Shuttl dashboard.
3. call $SPLUNK_HOME/etc/apps/shuttl/bin/warmToColdScript.sh /absolute/path/to/bucket /absolute/path/to/bucket
And your buckets should now be copied.

And yes, I've written "/absolute/path/to/bucket" twice. That's because usually when you use that script, you want to move the bucket from Splunk's warm to cold directory.

Alternative: Use this modified script, placed in Shuttl's bin directory: https://gist.github.com/petterik/7793825
Call it with a single argument of the bucket's absolute path. Installing, configuring and starting Shuttl is still needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...