Deployment Architecture

bucket roll logging



does Splunk logs somewhere internal how / when buckets are rolled, e.g. from cold to frozen?

reason: frozen buckets are archived in a diferent location, if a certain bucket from a certain time period needs to be restored it would be great to search for the name / time frame to find that and bring only this (or a couple of buckets) back instead of e.g. two years of data.


Tags (2)


hello @maada,
@dnitschke provided the correct search in answer above, however I would like to elaborate.
The internal index, which contains the data you seek, has a default size of 500GB and retention period of 2592000 seconds (30 days)
thinking about your use case, capturing buckets who moved to frozen, maybe it is better to capture the data and send to a lookup table or kv_store to keep track. if you dont, in 30 days that event is gone.
i have to re check, but i think that the | dbinspect can present frozen buckets as well
just my 2 cents

0 Karma



You could run the following search to find these informations:

index=_internal "finished moving"
0 Karma

Splunk Employee
Splunk Employee

Check if

index=_internal sourcetype=splunkd component=BucketMover

gives you what you are looking for.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!