Splunk Search

How is frozen data accessed in splunk?


I've been looking at sizing a Splunk instance based on https://splunk-sizing.appspot.com/#v=10 and it mentions hot, cold and frozen data.

If you want to access the frozen data for some reason, what do you need to do?

This refers to the frozen data that im asking about

0 Karma

Ultra Champion

Please keep in mind the following -


Caution: By default, the indexer deletes all frozen data. It removes the data from the index at the moment it becomes frozen. If you need to keep the data around, you must configure the indexer to archive the data before removing it. You do this by either setting the coldToFrozenDir attribute or specifying a valid coldToFrozenScript in indexes.conf.

0 Karma


The answer is a bit of it depends. With Splunk Enterprise alone currently, you would have to restore the frozen bucket (in other words you would thaw the bucket) and then Splunk can search the contents.

See: http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Restorearchiveddata

If you have Hunk, you might be able to age buckets out to HDFS or S3 instead and then just keep searching them as you search for other data, just with the overhead of doing such a search on older data. http://docs.splunk.com/Documentation/Hunk/6.3.1/Hunk/ArchivingSplunkindexes

Ultra Champion

Please keep in mind that the Hunk solution requires an Hadoop cluster ; -) if it's not clear...

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...