Solved: How do i search indexed data in Warm Db ?

chimbudp · ‎06-21-2013

splunkd.log gets indexed in _internal index.
From this index , i could able to get data for last 1 month.
I need to have splunkd.log for Jan2013 .
How do i get it ?
Was the data moved to Warm db,cold db?
If ,so how can i perform Search option against those buckets ?

chris · ‎06-21-2013

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use:

/opt/splunk/bin/splunk btool indexes list _internal
[_internal]
.
..
...
frozenTimePeriodInSecs = 2419200
..
.

View solution in original post

chris · ‎06-21-2013

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use:

/opt/splunk/bin/splunk btool indexes list _internal
[_internal]
.
..
...
frozenTimePeriodInSecs = 2419200
..
.

chimbudp · ‎06-24-2013

thanks Chris.

How do i search indexed data in Warm Db ?

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

Observability Highlights | January 2023 Newsletter