Deployment Architecture

Time range of frozen bucket

rgoodwin152
Loves-to-Learn Lots

Is there a command that I can run that will show me the time range for the events that are in a frozen bucket. We would like to determine the TimeRange of the frozen bucket so we know if we can delete it or restore it.

0 Karma

nickhills
Ultra Champion

The time range for a bucket is given in the buckets file name (this is also the case for warm/cold buckets too)

e.g
db_1552617140_1552530786_3000524

this bucket contains events from Thursday, 14 March 2019 02:33:06 - 15 March 2019 02:32:20
Where the first numeric value is the latest time (in epoch)
The second numeric value is the earliest time (in epoch)
The third numeric is the bucket ID

Once a bucket is frozen, Splunk essentially 'forgets' about it - there is no ongoing record of historic frozen buckets, so you have to use the filename.
Although, your _internal index will have records of the freezing actions taken recently (depending on your _internal retention) so you may be able to extract some data from these logs for recently frozen buckets.
You could build a search to collate all the recently frozen buckets and write this to a lookup to preserve an ongoing record which you would then be able to query.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...