Hello everyone
I would like to know the steps to aches below questions can anyone please help me
1. How to move data from cold bucket to hot bucket ( I have already gone through some steps in community like take the back up of cold bucket and replace the hot bucket with that something like that but I was not clear ..)
Can anyone please help me with the steps
2.. Second in a log I have 2 different kind of logs I want to send those to different indexes
Ex : I have a and b in the log i want to send a to index1 and b to index2
Can anyone please provide the steps to achieve above
Perhaps you are using the wrong terms and thus asking the wrong question because, as-written, what you are asking makes no sense at all. Perhaps what you are meaning to ask is, How do I thaw frozen data to make it searchable again
. That question makes a great deal of sense, and even has answers but nowhere in those answers is there any step to make a bucket hot
again.
The answer to my reformulation of your question is here:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
But keep in mind that this only will work if you have first done this (which most people have not done):
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Automatearchiving
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Backupindexeddata
1: You cannot create hot buckets, only splunkd
can.
2: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Thanks for the inputs but I want to retrieve cold bucket data to hot bucket is it possible
IT IS IMPOSSIBLE and furthermore doesn't even make sense. If you really mean warm
instead of hot
then all you need to do is move the bucket folder and restart the Cluster Master. But even that is pretty pointless because unless you have modified frozenTimePeriodInSeconds
or expanded your warm disk volume, it is just going to move back to cold
immediately. See my new answer.