bucket roll logging

maada · ‎05-09-2017

Hi,

does Splunk logs somewhere internal how / when buckets are rolled, e.g. from cold to frozen?

reason: frozen buckets are archived in a diferent location, if a certain bucket from a certain time period needs to be restored it would be great to search for the name / time frame to find that and bring only this (or a couple of buckets) back instead of e.g. two years of data.

thanks.

adonio · ‎05-10-2017

hello @maada,
@dnitschke provided the correct search in answer above, however I would like to elaborate.
The internal index, which contains the data you seek, has a default size of 500GB and retention period of 2592000 seconds (30 days)
thinking about your use case, capturing buckets who moved to frozen, maybe it is better to capture the data and send to a lookup table or kv_store to keep track. if you dont, in 30 days that event is gone.
i have to re check, but i think that the | dbinspect can present frozen buckets as well
just my 2 cents

ctaf · ‎05-10-2017

Hi,

You could run the following search to find these informations:

index=_internal "finished moving"

dnitschke_splun · ‎05-10-2017

Check if

index=_internal sourcetype=splunkd component=BucketMover

gives you what you are looking for.

bucket roll logging

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann