Splunk Enterprise

Can I restore buckets from frozen to cold instead of thawed?

ripzura
New Member

Can I restore buckets from frozen to cold instead of thawed?

A customer of ours has an index which had a frozentimeperiod of 35 days.
We want to increase this to 90 days but we want all the data that is currently between 35 and 90 days old (and is in frozen now) to be restored to the colddb so the (new) frozentimeperiod settings will apply and the data is automatically removed (frozen again?) when it's older than 90 days.

Can this be done easily?

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

Thawed data performs no differently to cold data.

To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.

But no, you can not (without much pain and pro services ) restore it to cold.

If my comment helps, please give it a thumbs up!

View solution in original post

gfreitas
Builder

It doesn't make a lot of sense to do that as this data is online on Splunk and you're mainly looking to duplicate it. You can however backup Splunk data and keeps it outside of Splunk. More information about backup of Splunk data can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Backupindexeddata

0 Karma

ripzura
New Member

I'm aware of the duplication. That was not an issue with this data but it's good that you explicitly mentioned that

0 Karma

nickhills
Ultra Champion

Thawed data performs no differently to cold data.

To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.

But no, you can not (without much pain and pro services ) restore it to cold.

If my comment helps, please give it a thumbs up!

ripzura
New Member

Yeah that's exactly what I'm doing now. I was just wondering if this couldn't be done by splunk itself but apparently the answer is "No".

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...