Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

bucket roll logging

maada
Explorer
‎05-09-2017 11:00 PM

Hi,

does Splunk logs somewhere internal how / when buckets are rolled, e.g. from cold to frozen?

reason: frozen buckets are archived in a diferent location, if a certain bucket from a certain time period needs to be restored it would be great to search for the name / time frame to find that and bring only this (or a couple of buckets) back instead of e.g. two years of data.

thanks.

Tags (2)
Reply

adonio
Ultra Champion
‎05-10-2017 05:56 AM

hello @maada,
@dnitschke provided the correct search in answer above, however I would like to elaborate.
The internal index, which contains the data you seek, has a default size of 500GB and retention period of 2592000 seconds (30 days)
thinking about your use case, capturing buckets who moved to frozen, maybe it is better to capture the data and send to a lookup table or kv_store to keep track. if you dont, in 30 days that event is gone.
i have to re check, but i think that the | dbinspect can present frozen buckets as well
just my 2 cents

0 Karma
Reply

ctaf
Contributor
‎05-10-2017 03:12 AM

Hi,

You could run the following search to find these informations:

index=_internal "finished moving"
0 Karma
Reply

dnitschke_splun
Splunk Employee
Splunk Employee
‎05-10-2017 03:07 AM

Check if

index=_internal sourcetype=splunkd component=BucketMover

gives you what you are looking for.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...