How is frozen data accessed in splunk?

danielphome · ‎02-28-2016

I've been looking at sizing a Splunk instance based on https://splunk-sizing.appspot.com/#v=10 and it mentions hot, cold and frozen data.

If you want to access the frozen data for some reason, what do you need to do?

ddrillic · ‎02-28-2016

Please keep in mind the following -

http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Automatearchiving

Caution: By default, the indexer deletes all frozen data. It removes the data from the index at the moment it becomes frozen. If you need to keep the data around, you must configure the indexer to archive the data before removing it. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in indexes.conf.

acharlieh · ‎02-28-2016

The answer is a bit of it depends. With Splunk Enterprise alone currently, you would have to restore the frozen bucket (in other words you would thaw the bucket) and then Splunk can search the contents.

See: http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Restorearchiveddata

If you have Hunk, you might be able to age buckets out to HDFS or S3 instead and then just keep searching them as you search for other data, just with the overhead of doing such a search on older data. http://docs.splunk.com/Documentation/Hunk/6.3.1/Hunk/ArchivingSplunkindexes

ddrillic · ‎02-28-2016

Please keep in mind that the Hunk solution requires an Hadoop cluster ; -) if it's not clear...

How is frozen data accessed in splunk?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience