Solved: How do i search indexed data in Warm Db ?

chimbudp · ‎06-21-2013

splunkd.log gets indexed in _internal index.
From this index , i could able to get data for last 1 month.
I need to have splunkd.log for Jan2013 .
How do i get it ?
Was the data moved to Warm db,cold db?
If ,so how can i perform Search option against those buckets ?

chris · ‎06-21-2013

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use:

/opt/splunk/bin/splunk btool indexes list _internal
[_internal]
.
..
...
frozenTimePeriodInSecs = 2419200
..
.

View solution in original post

chris · ‎06-21-2013

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use:

/opt/splunk/bin/splunk btool indexes list _internal
[_internal]
.
..
...
frozenTimePeriodInSecs = 2419200
..
.

chimbudp · ‎06-24-2013

thanks Chris.

How do i search indexed data in Warm Db ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation