Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

[SmartStore] How to get only frozen data to get archived in S3

brunofernandez
Explorer
‎01-31-2019 12:39 PM

Currently doing a SmartStore POC. The goal is to send only the frozen data to s3 but for an unknown reason (to me), the entire index was sent to S3....

Here is my indexes.conf:


[prometheus_dock]
coldPath = $SPLUNK_DB/prometheus_dock/colddb
datatype = metric
homePath = $SPLUNK_DB/prometheus_dock/db
maxTotalDataSizeMB = 256000
thawedPath = $SPLUNK_DB/prometheus_dock/thaweddb
maxHotSpanSecs = 86400
frozenTimePeriodInSecs = 648000
remotePath = volume:s3/prometheus_dock

Index size in Splunk: 7.75GB

When I query aws s3 to get bucket size:

```
ws s3 ls --summarize --human-readable --recursive s3://splunkdockbucket/

Total Objects: 425
Total Size: 7.7 GiB
```

How to configure indexes.conf to only archive frozen data...?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 12:59 PM

Smartstore is a solution for sending warm/cold data to S3. It is designed to still make the data able to be searched.

If you want to do frozen Data, take a look at the discussions here: https://answers.splunk.com/answers/56522/frozen-archives-into-amazon-s3.html#answer-351891

All the best 🙂

View solution in original post

Reply
Solved! Jump to solution

brunofernandez
Explorer
‎01-31-2019 01:10 PM

Thank you @chrisyoungerjds. I guess SmartStore is working perfectly than. tks. 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎01-31-2019 12:59 PM

Smartstore is a solution for sending warm/cold data to S3. It is designed to still make the data able to be searched.

If you want to do frozen Data, take a look at the discussions here: https://answers.splunk.com/answers/56522/frozen-archives-into-amazon-s3.html#answer-351891

All the best 🙂

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...