Re: Send Splunk Archive Logs to Ceph S3

splunkuser109 · ‎04-01-2021

How can we automatically send frozen/archived splunk logs from the indexers over to a Ceph S3 bucket using the indexers.conf file on the indexers?

richgalloway · ‎04-01-2021

---
If this reply helps you, Karma would be appreciated.

splunkuser109 · ‎04-01-2021

Hmm so it doesn’t look like there’s an easy way for us to automatically copy over the frozen logs directly to the ceph s3 bucket?

Do you have any ideas on how we can write a script to copy over frozen buckets over to ceph s3 buckets?

richgalloway · ‎04-01-2021

Personally, I like Visual Studio Code, but notepad++ is good, too. 😀

---
If this reply helps you, Karma would be appreciated.

splunkuser109 · ‎04-01-2021

hahaha. Can remotePath (ceph s3 bucket) not be used to store the cold or frozen buckets/logs?

richgalloway · ‎04-02-2021

remotePath is used for warm/cold buckets. This is part of the SmartStore feature. Frozen buckets are different and are not stored by SmarStore.

There is an example coldToFrozenScript in $SPLUNK_HOME/bin.

---
If this reply helps you, Karma would be appreciated.

Send Splunk Archive Logs to Ceph S3