Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

bucket roll logging

maada
Explorer
‎05-09-2017 11:00 PM

Hi,

does Splunk logs somewhere internal how / when buckets are rolled, e.g. from cold to frozen?

reason: frozen buckets are archived in a diferent location, if a certain bucket from a certain time period needs to be restored it would be great to search for the name / time frame to find that and bring only this (or a couple of buckets) back instead of e.g. two years of data.

thanks.

Tags (2)
Reply

adonio
Ultra Champion
‎05-10-2017 05:56 AM

hello @maada,
@dnitschke provided the correct search in answer above, however I would like to elaborate.
The internal index, which contains the data you seek, has a default size of 500GB and retention period of 2592000 seconds (30 days)
thinking about your use case, capturing buckets who moved to frozen, maybe it is better to capture the data and send to a lookup table or kv_store to keep track. if you dont, in 30 days that event is gone.
i have to re check, but i think that the | dbinspect can present frozen buckets as well
just my 2 cents

0 Karma
Reply

ctaf
Contributor
‎05-10-2017 03:12 AM

Hi,

You could run the following search to find these informations:

index=_internal "finished moving"
0 Karma
Reply

dnitschke_splun
Splunk Employee
Splunk Employee
‎05-10-2017 03:07 AM

Check if

index=_internal sourcetype=splunkd component=BucketMover

gives you what you are looking for.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...