Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a default retention period for an index residing in a thawed path and how is it applied?

splunker12er
Motivator
‎11-23-2014 01:22 AM

After I restore the archived data in thawed path and rebuild the index - Splunk recognizes the data.

What is the life-time of the data residing in the thawed path? Is there any default retention period for this?

By default splunk data rotation (hotdb->warmdb->colddb(deleted after 6 years))
Now, I place the buckets inside a thawed path and rebuilt it. How is that default policy is applied here?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-23-2014 04:07 AM

If the bucket was frozen due to age, retention would immediately re-freeze it. If it was frozen due to index size, that would also immediately re-freeze it.

As a result, thawed buckets are outside the scope of both retention time and size restrictions for that index, the Splunk admins handle these themselves.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...