Moving Splunk data to S3 bucket in a Cluster envir...

shrogers · ‎01-20-2021

Hi Everyone,

I'm looking for a working package that can move data from the Splunk cluster environment to the S3 bucket for archiving. All examples I'm getting does work.

richgalloway · ‎01-20-2021

Well, there's SmartStore, which is built-in to Splunk.

Beyond that, we'll need more information. Is your Splunk on-prem, private cloud, or Splunk Cloud? How do you want the data stored in S3 (searchable by Splunk or something else)?

What examples have you tried so far?

---
If this reply helps you, Karma would be appreciated.

shrogers · ‎01-20-2021

Thank you your quick response. Smartstore would require a whole new setup and we are not able to go down that route.

It's an on-prem cluster environment. We just want to archive index data to S3 after 90 days. If we need to get it searchable, we'll get it done manually.

richgalloway · ‎01-21-2021

Write a coldToFrozenScript. This script is invoked by Splunk when a bucket is due to be archived. See 'coldToFrozenScript ' in the Admin manual (https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Indexesconf#indexes.conf.spec)

---
If this reply helps you, Karma would be appreciated.

Moving Splunk data to S3 bucket in a Cluster environment

Other

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting