Manage your archives
You might want to review the status of your archived indexes or understand how much of your entitlement has been used. You can review the status of your archived indexes on the Archived Indexes page.
Steps to review the overall status of your restore requests for the last 90 days
- From Splunk Web, go to Settings > Indexes.
- From the Indexes page, click on a value in the Archive Retention column.
- Click the Restore tab to open the Restore page.
- Review the Restore Summary (90 days) table to see the overall status of your restored data.
| Field | Description |
|---|---|
| Total Restored Data (GB) | The total amount of raw data (uncompressed) that has been restored. This value is updated nightly. |
| Total Cleared Data (GB) | The total amount of raw data (uncompressed) that has been deleted from the restored archive. This value is updated nightly. |
| Total Expired Data (GB) | The total amount of raw data (uncompressed) that has expired from the restored archive. This value is updated nightly. |
You can view the details for restored archived data from the last 90 days in the table below. For each index, you can see the following details:
| Field | Description |
|---|---|
| Index Name | The name of the restored index. |
| Restored Count | The total number of restoration requests, including both successful and failed restore requests. This value also includes cleared and expired restore requests. |
| Restored Size (GB) | The total amount of raw data (uncompressed) that has been restored. |
| Cleared Count | The total number of restored index requests that have been manually deleted. |
| Cleared Size (GB) | The total amount of raw data (uncompressed) that has been manually deleted. |
| Expired Count | The total number of restored index requests that have aged out. |
| Expired Size | The total amount of restored raw data (uncompressed) that has aged out. |
Steps to review the status of individual restore requests
- From Splunk Web, go to Settings > Indexes.
- From the Indexes page, click on a value in the Archive Retention column.
- Click the Restore tab to open the Restore page.
- Go to the Restore Request History (Last 50 requests) table.
From here, you can see the start time, end time, time of the request, data volume in GB, and the expiration date. To understand the status for each job, check the Job Status field for each index. The following table shows the possible values.
| Field | Description |
|---|---|
| Pending | The request for restoration has been initiated, but has not yet begun. |
| In progress | The restoration process has started, but it has not been completed. |
| Success | The data has been successfully restored to your index. |
| Failure | The restoration failed. Click the > button next to the archive to display more details about the failure. |
| Cleared | You have successfully cleared the temporarily restored data. |
| Expired | The restored data has passed the 30 day retention threshold. |
After you have reviewed the archived indexes, you can determine what actions you want to take for each archived or restored index. You may want to clear archived data or stop archiving an index. Or you may see that a restoration or archive operation failed and chose to troubleshoot the issue.
Steps to review the overall size and growth of your archived indexes
You might want to review the size and growth of your archived indexes to better understand how much of your entitlement you are consuming. This can help you predict usage and expenses for your archived data.
- From Splunk Web, go to Settings > Indexes.
- From the Indexes page, click on a value in the Archive Retention column.
The Archive Summary page displays the following information:
| Field | Description |
|---|---|
| Total Archive Usage | The total amount of raw data (uncompressed) that is stored in the archive. This number turns red when total archive usage exceeds the total entitlement. This value is updated nightly. |
| Total Entitlement | Your total entitlement as determined in your service agreement. |
| Total Archive Data Growth (90 Days) | The total amount of raw data (uncompressed) that has been added to the archive in the past 90 days. This value is updated nightly. |
| Total Archive Data Expiration (90 Days) | The total amount of raw data (uncompressed) that has aged out of the archive within the past 90-day window. This value is updated nightly. Note that each index has an archive retention setting and the data ages out over time. For example, index A has 2-year archive retention. Every night for that index, Splunk ages out the data that is older than 2 years. |
Steps to review the size and growth of each archived index
You might want to review the size and growth of each index to understand how much it grows over time.
- From Splunk Web, go to Settings > Indexes.
- From the Indexes page, click on a value in the Archive Retention column.
The Archive Summary page displays the following information:
| Field | Description |
|---|---|
| Index Name | Name of the index. |
| Current Size (GB) | The current amount of raw data (uncompressed) that is stored in the archive for each index. |
| Earliest Event | The earliest event in the archived index. |
| Latest Event | The latest event in the archived index. |
| 90-Day Data Growth (GB) | The amount of raw data (uncompressed) that has been added to the archive in the past 90 days for each index. |
| 90-Day Data Expiration (GB) | The amount of raw data (uncompressed) that has been removed from the archive after 90 days for each index. |