Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I restore buckets from frozen to cold instead of thawed?

ripzura
New Member
‎01-30-2020 05:32 AM

Can I restore buckets from frozen to cold instead of thawed?

A customer of ours has an index which had a frozentimeperiod of 35 days.
We want to increase this to 90 days but we want all the data that is currently between 35 and 90 days old (and is in frozen now) to be restored to the colddb so the (new) frozentimeperiod settings will apply and the data is automatically removed (frozen again?) when it's older than 90 days.

Can this be done easily?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-30-2020 06:05 AM

Thawed data performs no differently to cold data.

To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.

But no, you can not (without much pain and pro services ) restore it to cold.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

gfreitas
Builder
‎01-30-2020 06:52 AM

It doesn't make a lot of sense to do that as this data is online on Splunk and you're mainly looking to duplicate it. You can however backup Splunk data and keeps it outside of Splunk. More information about backup of Splunk data can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Backupindexeddata

0 Karma
Reply
Solved! Jump to solution

ripzura
New Member
‎01-31-2020 05:33 AM

I'm aware of the duplication. That was not an issue with this data but it's good that you explicitly mentioned that

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-30-2020 06:05 AM

Thawed data performs no differently to cold data.

To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.

But no, you can not (without much pain and pro services ) restore it to cold.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

ripzura
New Member
‎01-31-2020 05:32 AM

Yeah that's exactly what I'm doing now. I was just wondering if this couldn't be done by splunk itself but apparently the answer is "No".

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...