Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

[SmartStore] How to get only frozen data to get archived in S3

brunofernandez
Explorer
‎01-31-2019 12:39 PM

Currently doing a SmartStore POC. The goal is to send only the frozen data to s3 but for an unknown reason (to me), the entire index was sent to S3....

Here is my indexes.conf:


[prometheus_dock]
coldPath = $SPLUNK_DB/prometheus_dock/colddb
datatype = metric
homePath = $SPLUNK_DB/prometheus_dock/db
maxTotalDataSizeMB = 256000
thawedPath = $SPLUNK_DB/prometheus_dock/thaweddb
maxHotSpanSecs = 86400
frozenTimePeriodInSecs = 648000
remotePath = volume:s3/prometheus_dock

Index size in Splunk: 7.75GB

When I query aws s3 to get bucket size:

```
ws s3 ls --summarize --human-readable --recursive s3://splunkdockbucket/

Total Objects: 425
Total Size: 7.7 GiB
```

How to configure indexes.conf to only archive frozen data...?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 12:59 PM

Smartstore is a solution for sending warm/cold data to S3. It is designed to still make the data able to be searched.

If you want to do frozen Data, take a look at the discussions here: https://answers.splunk.com/answers/56522/frozen-archives-into-amazon-s3.html#answer-351891

All the best 🙂

View solution in original post

Reply
Solved! Jump to solution

brunofernandez
Explorer
‎01-31-2019 01:10 PM

Thank you @chrisyoungerjds. I guess SmartStore is working perfectly than. tks. 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 12:59 PM

Smartstore is a solution for sending warm/cold data to S3. It is designed to still make the data able to be searched.

If you want to do frozen Data, take a look at the discussions here: https://answers.splunk.com/answers/56522/frozen-archives-into-amazon-s3.html#answer-351891

All the best 🙂

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...