Because the SAN Space is pretty expensive, we are only keeping the Data in Splunk 2 months.
Is it possible to have - One instance from Splunk on the SAN for normal search (first 2 months) - One instance on old Hardware, that reuse frozen buckets from the first instance (from 2 until 12 month old) - The first instance beeing able to search in the two instances...
Or would it be possible to move all frozen bucket from the culstered indexer, to a "slow" indexer withou SAN ? (That would be my favorit solution, if possible)
I guess the drawback from shuttl is that I can't only search on the messages I want to see, I have to reload all the timerange needed in splunk ?