Solved: After Thawing Data, how do you "Re-Freeze" it?

TheJagoff · ‎07-22-2016

Hello,

I have tested thawing data with good results. My question is - How do you refreeze it after you are done reviewing the data?

At this point, I'm just looking for general direction.

Many thanks!

somesoni2 · ‎07-22-2016

The thawed data is not affected by the retention period of the index, hence it will not go off automatically. You'd have to manually move them from thaweddb directory to your frozen directory.

View solution in original post

jmpreidy · ‎08-07-2017

To refreeze thawed data move it out of the thaw directory.
Documentation in indexes.conf confirms this: http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/indexesconf
Move to bucket Frozen directory.
Remove files except for the rawdata directory, since rawdata contains all the facts in the bucket.

somesoni2 · ‎07-22-2016

The thawed data is not affected by the retention period of the index, hence it will not go off automatically. You'd have to manually move them from thaweddb directory to your frozen directory.

ssubhani · ‎01-02-2017

Just a question though , the data in thaweddb is uncompressed whereas the data in frozen is compressed (Just a journal.gz file) so If I move the data from thaweddb to frozen ,will it be compressed after a while or not . Also , should I move or Copy . I was thinking to copy it and once finished ,delete all data in Thawed db. Please advise .

TheJagoff · ‎07-22-2016

That makes perfect sense - Thank you!

After Thawing Data, how do you "Re-Freeze" it?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

After Thawing Data, how do you "Re-Freeze" it?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!