Getting Data In

How does Splunk Cloud handle frozen data and format logs?

christiang
New Member

Hi, I am evaluating Splunk Cloud and I have two questions which answers I could not find on the web:

  1. How does Splunk Cloud handle frozen data? Does it delete it automatically, can I download it and store it on-premise?
  2. If I don't want Splunk Cloud anymore, can I get back my logs? In case I can, in which format will the logs be? Splunk's or raw?

Thanks in advance.
Regards,
Christian

Tags (3)
0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

For the following:

1) Splunk Cloud doesn't freeze data to external storage, it deletes it. You can manually export it via GUI.

2) If you cancel your contract, you can work with you account manage for different export options. Typically export is in raw format.

Hope that helps.

View solution in original post

atricarico_splu
Splunk Employee
Splunk Employee

I thought I would update the answer to this post since Splunk now has new capabilities and features available for archiving data indexed in Splunk Cloud.

Splunk Cloud now provides a subscription-based method to archive data from Splunk Cloud indexes to storage managed by Splunk. This option is called Dynamic Data: Active Archive (DDAA).
DDAA is a managed offering and allows for data to be re-indexed back into Splunk Cloud should there be a need to thaw the data.

Splunk Cloud also provides a method for customers to archive data from Splunk Cloud indexes to AWS S3 storage paid for and managed independently by the customer. This option is called Dynamic Data: Self-Storage (DDSS).
With DDSS if a customer wants to make the archived data searchable, they will need to spin up their own separate instance of Splunk Enterprise to thaw the data.

See the following articles:

Dynamic Data: Data Retention Options in Splunk Cloud
https://www.splunk.com/blog/2018/10/11/dynamic-data-data-retention-options-in-splunk-cloud.html

Dynamic Data: Self-Storage - Compliance, Cloud and Data Lifecycle
https://www.splunk.com/blog/2018/04/24/dynamic-data-self-storage-compliance-cloud-and-data-lifecycle...
,I thought I would update the response to this question, since Splunk Cloud now has greater functionality and flexibility with regard to archiving data.

There is a subscription-based offering to archive data in Splunk Cloud to S3 storage managed by Splunk
This option is called Dynamic Data: Active Archive (DDAA).
DDAA allows data to be restored to Splunk Cloud from the archive storage.

There is also an option for customers to utilize their own S3 storage to export and store archived data outside of Splunk Cloud.
This option is called Dynamic Data: Self-Storage (DDSS).
DDSS requires that customers spin up their own Splunk instance to thaw the data should they need to make it searchable.

See the following articles:

Dynamic Data: Data Retention Options in Splunk Cloud
https://www.splunk.com/blog/2018/10/11/dynamic-data-data-retention-options-in-splunk-cloud.html

Dynamic Data: Self-Storage - Compliance, Cloud and Data Lifecycle
https://www.splunk.com/blog/2018/04/24/dynamic-data-self-storage-compliance-cloud-and-data-lifecycle...

esix_splunk
Splunk Employee
Splunk Employee

For the following:

1) Splunk Cloud doesn't freeze data to external storage, it deletes it. You can manually export it via GUI.

2) If you cancel your contract, you can work with you account manage for different export options. Typically export is in raw format.

Hope that helps.

christiang
New Member

Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...