Solved: Cold to Frozen buckets question

paccio84 · ‎01-29-2020

Hi @All,
I will explain my situation now:

On my Splunk Enterprise (7.2.6) environment I have configured the option ColdToFrozenScript=(script path) and frozenTimePeriodInSecs = 10368000 (120 days).
The costumer would like to extend the storage and maintain cold buckets for 3 years (not more 120 days)
In the same time they would like to have these frozen buckets/archives created automatically after 120 days

My question is: Is it possible to frozen cold buckets after 120 days and in the same time maintain one searchable copy of them (cold) for 3 years?

Thanks in advance

Regards

Federico

nickhills · ‎01-29-2020

Once data is frozen it is "offline" and no longer searchable by Splunk.

If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.

Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎01-29-2020

Once data is frozen it is "offline" and no longer searchable by Splunk.

If I have understood, you should configure splunk with a frozenTimePeriodInSecs which matches the requirements (3 years)
- this will give you searchable data up to 3 years.

Splunk does not manage anything in the frozen path - if you want to archive/move/delete frozen buckets120 days after they are frozen, you will need to script a process (external to splunk) to manage that.

If my comment helps, please give it a thumbs up!

Cold to Frozen buckets question

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms