Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a default retention period for an index residing in a thawed path and how is it applied?

splunker12er
Motivator
‎11-23-2014 01:22 AM

After I restore the archived data in thawed path and rebuild the index - Splunk recognizes the data.

What is the life-time of the data residing in the thawed path? Is there any default retention period for this?

By default splunk data rotation (hotdb->warmdb->colddb(deleted after 6 years))
Now, I place the buckets inside a thawed path and rebuilt it. How is that default policy is applied here?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-23-2014 04:07 AM

If the bucket was frozen due to age, retention would immediately re-freeze it. If it was frozen due to index size, that would also immediately re-freeze it.

As a result, thawed buckets are outside the scope of both retention time and size restrictions for that index, the Splunk admins handle these themselves.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...