Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Exporting Data

bgill0123
Loves-to-Learn
‎09-19-2024 08:04 AM

We have recently moved to a new splunk environment and have formally cut away from the old one. The new environment works great and the  data is flowing as expected.  We now have a few years worth of data in splunk sitting on servers that are going to be repurposed. My question is what is the best way to move all that data out of splunk.  I was thinking of just freezing the index's and moving the frozen index's to s3 but I am not sure if that is the best way to do it.

Any suggestions would be welcome.

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2024 11:44 AM

There are more or less three ways of going about it.

1. Freezing the data to external storage instead of removing it - the downside is that you have to thaw the data if you ever want to use it again.

2. Simply stop your server and copy out the indexed data from the buckets - it uses much more space but you can copy those buckets back into index directory and you're ready to go (unless you forget about retention periods and your data immediately rolls to frozen ;-))

3. Bend over backwards and run a bunch of searches exporting your data to some csv or json. The upside is that you can use such export with other tools (probably after some processing) but the downside is that you won't be able to use it again with Splunk without additional magic and reingesting it into index.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...