Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exporting Data

bgill0123
Loves-to-Learn
‎09-19-2024 08:04 AM

We have recently moved to a new splunk environment and have formally cut away from the old one. The new environment works great and the  data is flowing as expected.  We now have a few years worth of data in splunk sitting on servers that are going to be repurposed. My question is what is the best way to move all that data out of splunk.  I was thinking of just freezing the index's and moving the frozen index's to s3 but I am not sure if that is the best way to do it.

Any suggestions would be welcome.

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2024 11:44 AM

There are more or less three ways of going about it.

1. Freezing the data to external storage instead of removing it - the downside is that you have to thaw the data if you ever want to use it again.

2. Simply stop your server and copy out the indexed data from the buckets - it uses much more space but you can copy those buckets back into index directory and you're ready to go (unless you forget about retention periods and your data immediately rolls to frozen ;-))

3. Bend over backwards and run a bunch of searches exporting your data to some csv or json. The upside is that you can use such export with other tools (probably after some processing) but the downside is that you won't be able to use it again with Splunk without additional magic and reingesting it into index.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top