Deployment Architecture

Cold to Frozen buckets question

paccio84
New Member

Hi @All,
I will explain my situation now:

  • On my Splunk Enterprise (7.2.6) environment I have configured the option ColdToFrozenScript=(script path) and frozenTimePeriodInSecs = 10368000 (120 days).

  • The costumer would like to extend the storage and maintain cold buckets for 3 years (not more 120 days)

  • In the same time they would like to have these frozen buckets/archives created automatically after 120 days

My question is: Is it possible to frozen cold buckets after 120 days and in the same time maintain one searchable copy of them (cold) for 3 years?

Thanks in advance

Regards

Federico

0 Karma
1 Solution

nickhills
Ultra Champion

Once data is frozen it is "offline" and no longer searchable by Splunk.

If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.

Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Once data is frozen it is "offline" and no longer searchable by Splunk.

If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.

Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...