Splunk Search

How is frozen data accessed in splunk?

danielphome
Engager

I've been looking at sizing a Splunk instance based on https://splunk-sizing.appspot.com/#v=10 and it mentions hot, cold and frozen data.

If you want to access the frozen data for some reason, what do you need to do?

This refers to the frozen data that im asking about

0 Karma

ddrillic
Ultra Champion

Please keep in mind the following -

http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Automatearchiving

Caution: By default, the indexer deletes all frozen data. It removes the data from the index at the moment it becomes frozen. If you need to keep the data around, you must configure the indexer to archive the data before removing it. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in indexes.conf.

0 Karma

acharlieh
Influencer

The answer is a bit of it depends. With Splunk Enterprise alone currently, you would have to restore the frozen bucket (in other words you would thaw the bucket) and then Splunk can search the contents.

See: http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Restorearchiveddata

If you have Hunk, you might be able to age buckets out to HDFS or S3 instead and then just keep searching them as you search for other data, just with the overhead of doing such a search on older data. http://docs.splunk.com/Documentation/Hunk/6.3.1/Hunk/ArchivingSplunkindexes

ddrillic
Ultra Champion

Please keep in mind that the Hunk solution requires an Hadoop cluster ; -) if it's not clear...

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...