Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i search indexed data in Warm Db ?

chimbudp
Contributor
‎06-21-2013 05:17 AM

splunkd.log gets indexed in _internal index.
From this index , i could able to get data for last 1 month.
I need to have splunkd.log for Jan2013 .
How do i get it ?
Was the data moved to Warm db,cold db?
If ,so how can i perform Search option against those buckets ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎06-21-2013 07:50 AM

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use:

/opt/splunk/bin/splunk btool indexes list _internal
[_internal]
.
..
...
frozenTimePeriodInSecs = 2419200
..
.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chris
Motivator
‎06-21-2013 07:50 AM

I'm afraid your data is not searchable in splunk anymore. The _internal index has a frozenTimePeriodInSecs of 2419200 seconds which equals to 28 days by default, if haven't configured a coldToFrozenScript for the index the data was deleted. You can change that value by overriding the default in $SPLUNK_HOME/etc/system/local/indexes.conf. Jus add a [_internal] stanza and override any settings you want. To display the current settings you can use:

/opt/splunk/bin/splunk btool indexes list _internal
[_internal]
.
..
...
frozenTimePeriodInSecs = 2419200
..
.
0 Karma
Reply
Solved! Jump to solution

chimbudp
Contributor
‎06-24-2013 04:22 AM

thanks Chris.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...