Solved: How to check if indexer is writing cold to frozen?

Log_wrangler · ‎07-17-2018

I have an ec2 splunk instance writing frozen data to an s3 bucket (via s3fs).

Where would I find in the splunk logs a history to monitor: when data is written to, and how much data is written to the frozen dir?

Thank you

CarsonZa · ‎07-17-2018

try this and see if its what you're looking for

index=_internal source=*splunkd.log  Reason="' frozen_buckets'"

View solution in original post

CarsonZa · ‎07-17-2018

try this and see if its what you're looking for

index=_internal source=*splunkd.log  Reason="' frozen_buckets'"

Log_wrangler · ‎07-17-2018

index = _internal is correct. fyi, when looking for s3fs events I have to search for the s3fs mount point like
the following (where foo is the s3fs mount point).
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" "/foo/frozen_archive/some_index_of_interest"

How to check if indexer is writing cold to frozen?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to check if indexer is writing cold to frozen?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...