We are actually being told our retention is beyond normal standards. Currently our Splunk reps are telling us we really should only be keeping data around for something like 7 to 14 days searchable and a lot shorter frozen storage point of view.

In my mind, if we had a bigger investigation that need to be done on frozen storage as we have it, something like restoring data to a summary index of sorts would be better than rehydrating into our standard indexes. However, I haven't personally done a lot of work with that. I think then smaller request wouldn't be so bad. However, that 6 hour wait time is rough and can definitely slow down research efforts.

Hi @durnan13 

I would say 14 days is nowhere near too long… I have a customer with loads of data in a 5 year retention and many indexes in 1-3 years. It does cost more obviously for disks but you could architect it well to have cheaper disks for cold buckets and that way you can benefit from instant retrieval but searches may take a little longer. 
Or you could look at having those indexes in smart store. Again this would depend on your setup/hosting/architecture etc. 

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful

• Marking it as the solution if it resolved your issue

• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Sorry I missed the point re Splunk Cloud - If you're using DDAA then yes you will have delays in accessing this data. The best "fix" is to pay for more storage and keep the data in DDAS (Active Searchable) for longer.

Related to the previously mentioned smartstore stuff - if you send data to DDSS you can thaw it out but this requires additional infra and it wont necessarily (unless you use Federated Search to on-prem instance) allow searching from Splunk Cloud. See https://github.com/livehybrid/ddss-restore for more info on how this can be achieved but it isnt for the faint of heart...

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

From the hints in the original question I assumed that we're talking about Cloud.

Yes we are using Splunk Cloud today.

Yes, we are AWS and only using DDAA currently.

I am really interested in Federated Search if we could migrate perhaps some indexes to an S3 and just search that system from Splunk instead of retaining all indexes for so long. However, I am not sure if that is truly possible or not to do.

Federated Search for Amazon S3 is a bit different thing than "normal" Federated search. That's first important thing. So if you're just saying "federated search" the typical case of searching "remote" Splunk instances is implied.

So what you're talking about is this - https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/splunk-p...

Read:

- Limitations

- Requirements

- Licensing

Generally, yes, it's possible to store your data in S3 buckets and search them from Splunk (as long as the requirements from the above documents are met) but you have to be very careful about the searches since you're paying for the searched data (not the results of the whole search! all data that has been scanned to yield the result)

Thawing is an annoying process even on prem (and with on-prem installation you have he element of having to find right buckets to thaw) so it's understandable that you might want to keep your data around as searchable for longer. But of course more data means more storage means more $$$.

Interesting idea. I must admit I haven't dug into it deeply yet but the nagging question is if the buckets were already to be frozen, wouldn't CM re-freeze them again as soon as it saw them? (assuming they were frozen due to time constraints, not size limits).