I have an ec2 splunk instance writing frozen data to an s3 bucket (via s3fs).
Where would I find in the splunk logs a history to monitor: when data is written to, and how much data is written to the frozen dir?
Thank you
try this and see if its what you're looking for
index=_internal source=*splunkd.log Reason="' frozen_buckets'"
try this and see if its what you're looking for
index=_internal source=*splunkd.log Reason="' frozen_buckets'"
index = _internal is correct. fyi, when looking for s3fs events I have to search for the s3fs mount point like
the following (where foo is the s3fs mount point).
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" "/foo/frozen_archive/some_index_of_interest"