Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I restore buckets from frozen to cold instead of thawed?

ripzura
New Member
‎01-30-2020 05:32 AM

Can I restore buckets from frozen to cold instead of thawed?

A customer of ours has an index which had a frozentimeperiod of 35 days.
We want to increase this to 90 days but we want all the data that is currently between 35 and 90 days old (and is in frozen now) to be restored to the colddb so the (new) frozentimeperiod settings will apply and the data is automatically removed (frozen again?) when it's older than 90 days.

Can this be done easily?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-30-2020 06:05 AM

Thawed data performs no differently to cold data.

To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.

But no, you can not (without much pain and pro services ) restore it to cold.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

gfreitas
Builder
‎01-30-2020 06:52 AM

It doesn't make a lot of sense to do that as this data is online on Splunk and you're mainly looking to duplicate it. You can however backup Splunk data and keeps it outside of Splunk. More information about backup of Splunk data can be found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Backupindexeddata

0 Karma
Reply
Solved! Jump to solution

ripzura
New Member
‎01-31-2020 05:33 AM

I'm aware of the duplication. That was not an issue with this data but it's good that you explicitly mentioned that

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-30-2020 06:05 AM

Thawed data performs no differently to cold data.

To get you past the 35-90 day window, thaw it, wait 90 days, then remove it and let the automated process manage it from that point.

But no, you can not (without much pain and pro services ) restore it to cold.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

ripzura
New Member
‎01-31-2020 05:32 AM

Yeah that's exactly what I'm doing now. I was just wondering if this couldn't be done by splunk itself but apparently the answer is "No".

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...