Getting Data In

Splunk bucketinnh

itzkirankumar1
Explorer

Hello everyone

I would like to know the steps to aches below questions can anyone please help me
1. How to move data from cold bucket to hot bucket ( I have already gone through some steps in community like take the back up of cold bucket and replace the hot bucket with that something like that but I was not clear ..)

Can anyone please help me with the steps
2.. Second in a log I have 2 different kind of logs I want to send those to different indexes
Ex : I have a and b in the log i want to send a to index1 and b to index2

Can anyone please provide the steps to achieve above

Tags (1)
0 Karma

woodcock
Esteemed Legend

Perhaps you are using the wrong terms and thus asking the wrong question because, as-written, what you are asking makes no sense at all. Perhaps what you are meaning to ask is, How do I thaw frozen data to make it searchable again. That question makes a great deal of sense, and even has answers but nowhere in those answers is there any step to make a bucket hot again.
The answer to my reformulation of your question is here:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
But keep in mind that this only will work if you have first done this (which most people have not done):
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Automatearchiving
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Backupindexeddata

0 Karma

woodcock
Esteemed Legend

1: You cannot create hot buckets, only splunkd can.
2: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma

itzkirankumar1
Explorer

Thanks for the inputs but I want to retrieve cold bucket data to hot bucket is it possible

0 Karma

woodcock
Esteemed Legend

IT IS IMPOSSIBLE and furthermore doesn't even make sense. If you really mean warm instead of hot then all you need to do is move the bucket folder and restart the Cluster Master. But even that is pretty pointless because unless you have modified frozenTimePeriodInSeconds or expanded your warm disk volume, it is just going to move back to cold immediately. See my new answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...