Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cold to Frozen buckets question

paccio84
New Member
‎01-29-2020 03:53 AM

Hi @All,
I will explain my situation now:

  • On my Splunk Enterprise (7.2.6) environment I have configured the option ColdToFrozenScript=(script path) and frozenTimePeriodInSecs = 10368000 (120 days).

  • The costumer would like to extend the storage and maintain cold buckets for 3 years (not more 120 days)

  • In the same time they would like to have these frozen buckets/archives created automatically after 120 days

My question is: Is it possible to frozen cold buckets after 120 days and in the same time maintain one searchable copy of them (cold) for 3 years?

Thanks in advance

Regards

Federico

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-29-2020 05:19 AM

Once data is frozen it is "offline" and no longer searchable by Splunk.

If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.

Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-29-2020 05:19 AM

Once data is frozen it is "offline" and no longer searchable by Splunk.

If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.

Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...