Solved: If compressing tsidx files in frozen archives, is ...

hulahoop · ‎03-26-2010

In the sample cold to frozen script $SPLUNK_HOME/bin/compressedExport.sh.example, Splunk's tsidx files are gzipped during the freezing process. If this script is used and the bucket needs to be resurrected, can we simply copy the frozen bucket to the myindex/thaweddb directory or use the splunk resurrect command to bring the data back online? Or do the compressed tsidx files need to be uncompressed first?

jrodman · ‎04-16-2010

The tsidx files must be decompressed for search to work.

The traditional resurrect script was supposed to handle this, but it's in a sad way at the moment. For now, I would suggest simply scripting the decompression of the .tsidx.gz files.

View solution in original post

jrodman · ‎04-16-2010

The tsidx files must be decompressed for search to work.

The traditional resurrect script was supposed to handle this, but it's in a sad way at the moment. For now, I would suggest simply scripting the decompression of the .tsidx.gz files.

Lowell · ‎04-13-2016

This refers to Splunk prior to 4.2. (Very old)

Splunk 6.4 has just introduced new features to allow searching of "frozen" buckets (aka buckets with out .tsidx files)

hulahoop · ‎04-18-2010

Thank you, Josh!

If compressing tsidx files in frozen archives, is it possible to ressurect frozen data without uncompressing?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!