Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How is frozen data accessed in splunk?

danielphome
Engager
‎02-28-2016 02:46 PM

I've been looking at sizing a Splunk instance based on https://splunk-sizing.appspot.com/#v=10 and it mentions hot, cold and frozen data.

If you want to access the frozen data for some reason, what do you need to do?

This refers to the frozen data that im asking about

Preview file
22 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎02-28-2016 04:58 PM

Please keep in mind the following -

http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Automatearchiving

Caution: By default, the indexer deletes all frozen data. It removes the data from the index at the moment it becomes frozen. If you need to keep the data around, you must configure the indexer to archive the data before removing it. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in indexes.conf.

0 Karma
Reply

acharlieh
Influencer
‎02-28-2016 03:12 PM

The answer is a bit of it depends. With Splunk Enterprise alone currently, you would have to restore the frozen bucket (in other words you would thaw the bucket) and then Splunk can search the contents.

See: http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Restorearchiveddata

If you have Hunk, you might be able to age buckets out to HDFS or S3 instead and then just keep searching them as you search for other data, just with the overhead of doing such a search on older data. http://docs.splunk.com/Documentation/Hunk/6.3.1/Hunk/ArchivingSplunkindexes

Reply

ddrillic
Ultra Champion
‎02-28-2016 05:11 PM

Please keep in mind that the Hunk solution requires an Hadoop cluster ; -) if it's not clear...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...