Frozen Index Management

adalbor · ‎11-11-2019

Is there an app/script/mechanism out there that would allow you to list your available frozen indices by their human readable date/timestamps and allow you to move them back to thawed state and rebuild?

Thanks!

radam2000 · ‎05-04-2020

If the index is on linux, you can run this cli command in the frozen directory to list the human readable start and end dates/times for the buckets and pipe it to a txt file for review...

Format to list bucket names with start and end dates
ls -d1 db_* | gawk -F'_' '{print $0} {print " " strftime("%c", $3)} {print " " strftime("%c", $2)}'

sample output
db_1549387088_1541611191_68_9E0CD82F-4920-47E4-8142-B1FE5AD9E314
Wed 07 Nov 2018 12:19:51 PM EST
Tue 05 Feb 2019 12:18:08 PM EST
db_1549775541_1549387335_69_9E0CD82F-4920-47E4-8142-B1FE5AD9E314
Tue 05 Feb 2019 12:22:15 PM EST
Sun 10 Feb 2019 12:12:21 AM EST

Rich

fernanlee · ‎11-11-2019

Yes, of course:

https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Restorearchiveddata#Thaw_a_4.2.2B_archive

adalbor · ‎11-12-2019

That doesn't answer my question. Was looking for a script or an app that would allow me to list my available frozen indices and the date/timestamp in a human readable format. Something that would make validating the indices and thawing them easier.

adalbor · ‎11-20-2019

Any suggestions anyone?

adalbor · ‎12-02-2019

Any Splunk people have any suggestions?

Frozen Index Management

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM