Solved: Re: Move data to another index based on _time

zafunt · ‎11-12-2013

I would like to move data based on the event time to another index. I've tried something like the following...

index=main _time < whatever | collect index=old

But, this changes all the src values to be the splunk indexer.

I've also tried to move items to "frozen" based on time. However, that seems to move events based on the time that the data was indexed.

Is there another way to do this?

yannK · ‎11-12-2013

move the buckets instead, it's easier to identify all the buckets containing your data.
then copy/move then to the new index.

use the |dbinspect index=main | convert ctime(endEpoch) AS start| convert ctime(startEpoch) AS end | table path state start end
to get the list of your buckets, with their timerange.
stop splunk
copy or move them to the new indexpath
if needed, use the delete command to hide the events that you do not want

yannK · ‎11-12-2013

move the buckets instead, it's easier to identify all the buckets containing your data.
then copy/move then to the new index.

use the |dbinspect index=main | convert ctime(endEpoch) AS start| convert ctime(startEpoch) AS end | table path state start end
to get the list of your buckets, with their timerange.
stop splunk
copy or move them to the new indexpath
if needed, use the delete command to hide the events that you do not want

zafunt · ‎11-13-2013

Thanks. This should work for me. I'll update with any additional steps that may be helpful to others.

Move data to another index based on _time