Here's an example search that gets the event count by source from a Splunk Enterprise index, "_internal", an archived index, "main_archive", and a virtual index, "vix".
SPLUNK ARCHIVER APP ARCHIVE
You can search archived buckets as you normally search HDFS or S3 in Hunk, simply including the archive virtual index in your searches. Archived buckets are ready to be searched in Hunk.Hunk copies cold and warm bucket data from the Splunk Enterprise indexers to a Hadoop supported file system, such as HDFS or S3.Every 17 minutes after the hour, Hunk automatically runs the command | archivebuckets, which will start the archiving process on each indexer.The splunk_archiver app uses Bundle Replication to distribute your configuration information to all relevant Splunk Enterprise indexers.Once you configure a Splunk index as a Hunk Archive: Hunk provides two ways for you to configure the above information: At what age Splunk Enterprise buckets should be copied to the archive in HDFS.Where to put the archived data in HDFS.Which Splunk Enterprise indexes to archive into Hunk.The Archive feature provides a user-friendly way for you to copy warm and cold Splunk indexer data to Hunk as archived data. Archive Splunk Enterprise indexer data to meet your data retention policies without using valuable Splunk indexer space.Perform batch processing analysis in Hunk that includes Splunk Enterprise archived data.
Search across archived buckets, virtual indexes, and Splunk Enterprise indexes.Search archived data that is no longer available in Splunk.Archive Splunk indexed data into HDFS or S3 so that you can:
0 kommentar(er)
