Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to copy/forward logs weekly to frozen archive?

rewritex
Contributor
‎02-23-2022 09:45 AM

Hello,

I'm trying to figure out how to do 3 months of HOT/WARM/COLD indexing but copy/forward logs every week to my frozen archive located in a separate location. I'm trying to compensate for some issues we are having with our infrastructure uptime. 

Q: Does this make sense and is this possible? Could anyone provide examples or advice?
Q: Is there a difference is storage space used by sending data in weekly vs monthly(or every 90 days)?

Also, Splunk is installed into a Windows Environment.

Thank You,
Sean

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-23-2022 02:18 PM

OK. So you'd like to copy out warm/cold bucket?

It is possible and copying warm buckets is one of the proposed backup strategies.

https://docs.splunk.com/Documentation/Splunk/8.2.4/Indexer/Backupindexeddata

But I must say I've never done it myself.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rewritex
Contributor
‎02-23-2022 01:20 PM

Thank you for the reply. I guess I'm not asking my question correctly..... 

Policy
1) 90-day - searchable data (HOT/WARM/COLD)
2) 90-day - frozenTimePeriodInSecs = 7776000 (move data or if 3) is used, delete data)
3) ?? 7-days - Weekly Powershell script to back-up/copy logs to remote store

My question on for 3) to compensate for some infrastructure issues, I want to back-up the indexed data sooner then waiting for the 2) frozentimeperiodinsecs. This may not be a feasible idea or make logical sense but this is where I'm at, at the moment and trying to think through it.  I have setup an index cluster with servers on different network segments to help with single point of failures so I'm hoping I can just depend on the standard 2) frozentimeperiodinsecs policy to move data to frozen remote storage.

Thanks again,
Sean

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-23-2022 02:18 PM

OK. So you'd like to copy out warm/cold bucket?

It is possible and copying warm buckets is one of the proposed backup strategies.

https://docs.splunk.com/Documentation/Splunk/8.2.4/Indexer/Backupindexeddata

But I must say I've never done it myself.

0 Karma
Reply
Solved! Jump to solution

rewritex
Contributor
‎02-23-2022 02:27 PM

Lol, I wasn't searching with the correct words "hot / warm buckets". Thank you for the assistance!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-23-2022 12:48 PM

I'm not entirely sure what you want to do, to be honest.

You want to have your normal hot/warm/cold lifecycle and then once a week move the buckets that have already rolled to frozen somewhere off-site? You can do that of course. After the buckets are rolled to frozen, they are no longer visible to splunk for searching so you can safely move them outside.

But the question is is that really what you want, because that gives you an external copy of _old_ data (the buckets that already "expired).

And in terms of disk usage, the amount of data that gets rolled to frozen over some period should be roughly the same regardless of the schedule. After all it depends on the amount of data ingested.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...