Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data Retention - can we copy frozendb to tape?

scott778
Explorer
‎10-28-2015 12:19 PM

Is it possible to archive frozendbs to tape and pull that data back for splunk to read at a later date?

For example, I'd like to do something like this.

All data has to be retained for 3 years.

Warm / Hot Dbs = 3 months
frozendb = 1 year
Frozendb is backed up to tape once per year.

0 Karma
Reply

the_wolverine
Champion
‎10-28-2015 01:07 PM

You can copy frozendb to any location that you like. Just make sure you can pull the data out of it when you need it.

Reply

scott778
Explorer
‎10-28-2015 02:17 PM

How could we restore that data? If we had to pull a tape back from 2 years ago could I point a new index at the frozendb folder from 2 years ago and run queries?

0 Karma
Reply

the_wolverine
Champion
‎10-28-2015 02:26 PM

You have to manually copy the data to the thawedb directory. The thaw directory is configured in indexes.conf. Please refer to the documentation as the process is a bit more involved than that:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Indexer/Restorearchiveddata

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...