Solved: After Thawing Data, how do you "Re-Freeze" it?

TheJagoff · ‎07-22-2016

Hello,

I have tested thawing data with good results. My question is - How do you refreeze it after you are done reviewing the data?

At this point, I'm just looking for general direction.

Many thanks!

somesoni2 · ‎07-22-2016

The thawed data is not affected by the retention period of the index, hence it will not go off automatically. You'd have to manually move them from thaweddb directory to your frozen directory.

View solution in original post

jmpreidy · ‎08-07-2017

To refreeze thawed data move it out of the thaw directory.
Documentation in indexes.conf confirms this: http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/indexesconf
Move to bucket Frozen directory.
Remove files except for the rawdata directory, since rawdata contains all the facts in the bucket.

somesoni2 · ‎07-22-2016

The thawed data is not affected by the retention period of the index, hence it will not go off automatically. You'd have to manually move them from thaweddb directory to your frozen directory.

ssubhani · ‎01-02-2017

Just a question though , the data in thaweddb is uncompressed whereas the data in frozen is compressed (Just a journal.gz file) so If I move the data from thaweddb to frozen ,will it be compressed after a while or not . Also , should I move or Copy . I was thinking to copy it and once finished ,delete all data in Thawed db. Please advise .

TheJagoff · ‎07-22-2016

That makes perfect sense - Thank you!

After Thawing Data, how do you "Re-Freeze" it?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

After Thawing Data, how do you "Re-Freeze" it?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?