Hello, I modified my cold bucket location, and I want to perform some test queries for data residing in cold buckets storage only. Is there a way to do this?
One option could be to test with the time range of the cold buckets. Log on to the indexer and go to the $SPLUNK_DB/yourIndexName/colddb folder and pickup some buckets and get the timerange for the data they store. The bucket name would like db_epochLatestTime_epochEarliestTime_somecounter
. Then you can run searches like this
index=yourindex earliest=epochEarliestTime latest=epochLatestTime
Thank you! Ok, that seemed to work but this is what I do not understand. I'm querying for data sitting in our old cold directory using the time stamp and i'm getting results, how? What I was expecting is that I would get no results, then manually copy the data to new cold directory as specified then re-try the query and I would get results, in order to test moving data from old cold directory to new.
Did you make changes to your indexes.conf to update the colddb location and restarted the Splunk Indexer(s)??
Yes.. and after I restarted splunk I think newly created diretories and data being created in my new cold bucket location. Simply, as I stated what I would like to do is query for data that I did not copy over (with the expected result of no data retrieved for that time period), then manually copy cold bucket data from old location to new location, re-query and now see the data.
Ok.. Gotcha.. The problem is that a bucket with name db_epochLatestTime_epochEarliestTime_somecounte doesn't contain all the events from period epochLatestTime and epochEarliestTime. There will be overlap between data for a day/period spread across multiple buckets. What you can do is pickup a bucket in old location, open the rawdata file (compressed file), zcat first few lines, find the keywords for that data and search in Splunk (you need to look for some kind of primary key. When bucket is in old location, you should see the data for that primary key and should see once they are copied over.