Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk bucketinnh

itzkirankumar1
Explorer
‎02-23-2020 08:12 AM

Hello everyone

I would like to know the steps to aches below questions can anyone please help me
1. How to move data from cold bucket to hot bucket ( I have already gone through some steps in community like take the back up of cold bucket and replace the hot bucket with that something like that but I was not clear ..)

Can anyone please help me with the steps
2.. Second in a log I have 2 different kind of logs I want to send those to different indexes
Ex : I have a and b in the log i want to send a to index1 and b to index2

Can anyone please provide the steps to achieve above

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎02-24-2020 06:56 AM

Perhaps you are using the wrong terms and thus asking the wrong question because, as-written, what you are asking makes no sense at all. Perhaps what you are meaning to ask is, How do I thaw frozen data to make it searchable again. That question makes a great deal of sense, and even has answers but nowhere in those answers is there any step to make a bucket hot again.
The answer to my reformulation of your question is here:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
But keep in mind that this only will work if you have first done this (which most people have not done):
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Automatearchiving
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Backupindexeddata

0 Karma
Reply

woodcock
Esteemed Legend
‎02-23-2020 12:26 PM

1: You cannot create hot buckets, only splunkd can.
2: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma
Reply

itzkirankumar1
Explorer
‎02-23-2020 07:51 PM

Thanks for the inputs but I want to retrieve cold bucket data to hot bucket is it possible

0 Karma
Reply

woodcock
Esteemed Legend
‎02-24-2020 06:41 AM

IT IS IMPOSSIBLE and furthermore doesn't even make sense. If you really mean warm instead of hot then all you need to do is move the bucket folder and restart the Cluster Master. But even that is pretty pointless because unless you have modified frozenTimePeriodInSeconds or expanded your warm disk volume, it is just going to move back to cold immediately. See my new answer.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...