Thaw Frozen Data Lab

00:00

Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. In this video, we're going to be doing a lab where we take some frozen data and we thought it and then I'll show you in search that we're now able to look at that data again. So before we get started a moon, a head over to my indexer

00:18

and I'm gonna show you setting really quick

00:21

just because I made a mistake in a previous video where we set up the windows index. So I want to go over what change you have to make to make sure that you're frozen thought directory work properly. So

00:39

let's run this beetle on indexes

00:43

and only show the windows. So if you look here, uh, we remember in our cold path old path, frozen path, we

00:53

all in all of those we use this index name variable. Well, it turns out that that does not work in frozen directory or the thought db directory. So I had to go back and change this toe, actually explicitly say windows for to work.

01:07

Otherwise you would just get an archive and then this literal string instead of

01:12

it changing out to the windows variable value. So I'd fix those two things and then also, to get some frozen data, I had to change my frozen time period in seconds to a short enough time and also set my max total data size

01:30

small enough so that the data would roll to frozen.

01:34

So if you were trying to follow along, those are a couple settings you would have to change to get some data in your frozen DB sled. You can actually do this process.

01:45

But as you can see, uh, I'm in this windows frozen BB now, and I do have two frozen directories,

01:53

So first I'm gonna demonstrate. So this is where all of our Windows data is over the past 24 hours. You see, sometime at five o'clock is our earliest data. Right now, I'm gonna run this command

02:12

just to show you

02:21

Oh, apps see time.

02:24

So the earliest event we have is 5 37 53 But once we unfreeze the status or thought it, it's going to change that. So let's get started on that. So the process is pretty simple. All I have to do is move this directory into the fold path

02:44

and then run the rebuild command.

02:46

And then that data will be searchable again.

02:49

So we'll just to copy db

02:53

uh, and we'll make sure we get the right one for 46

02:59

and we will move that to opt Splunk Far lib

03:05

Splunk

03:07

windows.

03:07

I thought I d be.

03:10

You'll obviously substitute this out with whatever you're

03:14

index path is. If you use that Splunk db, it's going to translate to this by default,

03:22

so we'll copy that over their books.

03:25

Since this is a directory, we have to copy recursive lee.

03:30

So now that's copied. And if you want to see, I will show you.

03:40

You can say that this is now in there. So we're going to now run the Splunk Rebuild Command. It's a pretty simple command. All you do is stay strong, rebuild and then give it the absolute path off the bucket that you want to rebuild.

03:58

So we'll copy that

04:00

haste, and we'll just press tab because that'll auto fill

04:04

and then we'll run this.

04:06

Andi,

04:11

specify the index at the end, I believe.

04:15

Actually, let's check to see if that works because I'm not 100% sure. If we have to run that or not

04:21

Eso. Yeah. So this

04:25

has gotten later because we added more data in. So, uh, that means the data, so that shouldn't actually contribute to the deaths size. But that value did not get earlier, which means it didn't actually rebuild this. So let's specify Windows and this error message probably does it give away,

04:44

You see, index equals blank.

04:46

So it's probably because we didn't specify our index right here. So we'll do that.

04:51

And rebuild took X seconds, which means it was successful. So if we run this again,

05:01

you would expect to see an earlier time.

05:05

Yeah, you could see. Okay, so, um, I just misreading.

05:12

Oh, yeah, I am miss reading because today's the 30th. So this says the earliest event was 7 29

05:18

at 7 p.m. Hopefully, my quick math is right.

05:23

So you can see we actually did

05:25

successfully rebuild that data. It's now searchable again. So if I clicked right here, this is data that was not

05:30

previously in here. It's from yesterday.

05:33

So that's a pretty straightforward process. Some things to note is this data will now stay in here

05:41

basically indefinitely. The only thing I would cause this data to go away is if I delete that thought db

05:47

ah, volume.

05:49

But otherwise this will stay in here indefinitely. That rules the normal rules to an index Onley apply to the home like the cold, warm, the hot paths they don't apply Teoh the fall db. So until I Until I'm done with this data and I delete it, it'll stay there. But I'll demonstrate to that. If I just remove this,

06:08

it will actually

06:12

get rid of the data

06:15

lives. Blunk

06:17

Windows thought db

06:21

so weary of that. And then if we were on our search again, whips steam library again,

06:28

you can see now our race latest event is again at around the five o'clock more. So that's how you, uh, basically thought data move it into search into being searchable again, and then subsequently remove it when you're finished with the data. So,

06:46

yeah, that's everything you need to know about how to thaw data, and