Deployment Architecture

Is it doable to set all the indexes in one frozenpath and archive all its data in S3 glacier?

ejmin
Path Finder

Hi splunkers,

Is it possible to have all of the indexes have a one frozen directory path setup in archiving to Amazon S3 glacier? Can anyone of you share their thoughts in storing their data in amazon s3 glacier. It would be nice if  you teach me the architecture or what methods needs to be done in archiving data to S3 glacier. 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, it is doable, but not necessarily advisable.  I've seen customers do this and then struggle to locate data they wish to thaw.  With all Splunk buckets in a single S3 bucket, they have no idea which buckets belong to which index.  I recommend a different frozen path for each index for that reason.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, it is doable, but not necessarily advisable.  I've seen customers do this and then struggle to locate data they wish to thaw.  With all Splunk buckets in a single S3 bucket, they have no idea which buckets belong to which index.  I recommend a different frozen path for each index for that reason.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ejmin
Path Finder

Ok thanks for your input......

By the way had you ever done archiving to S3 glacier from frozen bucket?

Ill accept it as a solution for my question but Ill appreciate also if you will advise me a method or guide on how to setup this in automatic way like how the splunk forwarder works.

0 Karma

isoutamo
SplunkTrust
SplunkTrust
As I answer your another question it’s doable. Unfortunately I haven’t link to it, but I think that you could find it by google.
r. Ismo
0 Karma

ejmin
Path Finder

Ok thanks @isoutamo  for your inputs.

 

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...