Can I restore buckets from frozen to cold instead of thawed?
A customer of ours has an index which had a frozentimeperiod of 35 days.
We want to increase this to 90 days but we want all the data that is currently between 35 and 90 days old (and is in frozen now) to be restored to the colddb so the (new) frozentimeperiod settings will apply and the data is automatically removed (frozen again?) when it's older than 90 days.
Can this be done easily?
Thawed data performs no differently to cold data.
To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.
But no, you can not (without much pain and pro services ) restore it to cold.
It doesn't make a lot of sense to do that as this data is online on Splunk and you're mainly looking to duplicate it. You can however backup Splunk data and keeps it outside of Splunk. More information about backup of Splunk data can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Backupindexeddata
I'm aware of the duplication. That was not an issue with this data but it's good that you explicitly mentioned that
Thawed data performs no differently to cold data.
To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.
But no, you can not (without much pain and pro services ) restore it to cold.
Yeah that's exactly what I'm doing now. I was just wondering if this couldn't be done by splunk itself but apparently the answer is "No".