Hi @All,
I will explain my situation now:
On my Splunk Enterprise (7.2.6) environment I have configured the option ColdToFrozenScript=(script path) and frozenTimePeriodInSecs = 10368000 (120 days).
The costumer would like to extend the storage and maintain cold buckets for 3 years (not more 120 days)
In the same time they would like to have these frozen buckets/archives created automatically after 120 days
My question is: Is it possible to frozen cold buckets after 120 days and in the same time maintain one searchable copy of them (cold) for 3 years?
Thanks in advance
Regards
Federico
Once data is frozen it is "offline" and no longer searchable by Splunk.
If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.
Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.
Once data is frozen it is "offline" and no longer searchable by Splunk.
If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.
Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.