Index name : A
Index name : B
host : a1,a2
a1,a2 hosts ----->forward logs to index 'A' .
I want to separate/move 'a2' related events to index 'B' after 30 days.
Work around :
Roll the hot buckets from index 'A' and move to the index 'B'
Delete the 'a1' related events via search query by 'can_delete' role. (query : index=B host=a1|delete)
But still host : a1 indexed data is available in the index 'B' buckets
where in my case , i have a problem considering my disk space . So i need to delete the data from buckets also.
Is there any options available ?
Also , when i copy the warm buckets into index B - Immediately its available in search query. Does rebuild/restart not necessary here?
Easiest solution: Have host a1 log into index A, host a2 into index B. Set index A to delete after 30 days. Search over
index=A OR index=B to get events from both hosts for the last 30 days.
Anything involving moving stuff will end up more complicated, so you should have a good reason to make things more complicated than necessary.
Create indexes per customer, and change their retention policy when they change their requirements. Delete their index when they cancel their subscription.
Are you a Splunk MSP?
This is sample example. But this very much needed in my business case for managed security services , I would receive logs from 100s of hosts, where based on some criteria I will be placing logs under certain index name. Later,
I would need to identify and delete the logs of particular hosts (physically)
Or, I would need to move the indexed data of a particular host to another index (this is my use case)
Could you explain more on why you need to move indexed data between indexes?
Different retention policies and/or different access policies = create and put data into different indexes and let Splunk handle the deletion for you. Splunk will "freeze" buckets when either they get too old or the size of the index is too large (both configurable). At that time Splunk will remove the bucket from searching and will delete, archive, or perform another custom action (again based on the index configuration)
I have index structure based on retention policy.
If a customer subscribes for a retention period of 12 months I will direct this customer log to my first index.
Let say, if the customer wants to continue his subscription for another 2 years , I will direct the logs to 2nd index, more over in case if the customer wants his past 1 year also(for a statistical purpose) , I want to move the indexed data from 12-Months-Index to 24-Months-Index directory.
For this purpose , I want the data movement from one index to another index.
NOTE : For providing a managed security services - Splunk ES application is deployed - where there are number of correlation search queries are running , in case if i separate the customer into separate indexes(in that case the index number will get increased), I have a problem of search query performance slow down(index=cust1 OR index=cust2 Or index-custN). To overcome this , we have a setup of indexes based on retention policy.So index number will be less
Also, I need an answer for this,
If a customer leaves in 6 months (where he already subscribed for 1 year retention) - How to physically delete his data from the disk. Since Index-12-Month contains data of other customer too. I need selective deletion