Cold Search - Searching Archived Logs
Cold search is a powerful feature that allows you to analyze logs that have been moved to long-term storage. Whether you're conducting compliance audits, investigating historical incidents, or analyzing trends over time, cold search gives you access to your archived data.
Understanding Hot vs. Cold Search
Your logging system uses two types of search to balance performance and cost:
Hot Search: Searches recent logs stored in high-speed storage for quick access and real-time analysis
Cold Search: Searches archived logs in long-term storage for historical analysis and compliance needs
Think of hot search as your active filing cabinet and cold search as your archive room - both contain important information, but they're optimized for different purposes.
When to Use Cold Search
Cold search is ideal for:
Compliance and Auditing: Reviewing logs from specific time periods for regulatory requirements
Historical Analysis: Investigating patterns or incidents that occurred weeks or months ago
Trend Analysis: Comparing current behavior against historical baselines
Forensic Investigation: Examining detailed logs from past security events
For analyzing recent or real-time logs, use hot search instead, which provides faster results for current data.
Accessing Cold Search
Cold search functionality is available through your location's archives search interface. You'll need appropriate permissions to access archived logs and run cold search queries.
Navigate to your location's archives area and select the cold search or archive search option to begin working with historical data.
Searching Archived Logs
Defining Your Time Range
The most important aspect of cold search is specifying the time range for your archived data:
Set your start date to define when your search window begins
Set your end date to define when your search window ends
Consider the volume of data in your selected range - larger time ranges will take longer to process
Tip: Start with narrower time ranges and expand as needed. Searching a week of archived logs is much faster than searching an entire year.
Filtering by Location
You can focus your cold search on specific locations within your organization:
Search across all locations for organization-wide analysis
Filter to specific locations when investigating location-specific issues
Combine multiple locations to compare behavior across sites
Using Host Filters
Refine your cold search by filtering for specific hosts or systems. This helps you:
Focus on logs from particular servers or devices
Isolate issues to specific infrastructure components
Reduce the volume of data to process
Query Syntax
Cold search uses the same query syntax as hot search, allowing you to:
Search for specific text strings in your logs
Use boolean operators to combine search terms
Filter by log fields and attributes
Match patterns using standard search operators
The key difference is that cold search queries run against archived data in long-term storage rather than recent logs in active storage.
Performance Considerations
Cold search operates differently than hot search due to the nature of archived storage:
Expected Response Times
Cold searches typically take longer than hot searches
Larger time ranges require more processing time
The number of locations and hosts affects query duration
Complex queries take longer to execute against archived data
Optimizing Your Searches
To get the best performance from cold search:
Be specific with time ranges: Only search the time period you actually need
Filter by location: Narrow your search to relevant locations when possible
Use host filters: Limit searches to specific hosts when investigating targeted issues
Start narrow, then expand: Begin with focused queries and broaden if needed
Cost Implications
Searching archived logs involves retrieving data from long-term storage, which may have cost implications:
Cold searches access data stored in archive storage systems
Larger queries that scan more data may incur higher costs
Frequent cold searches across large time ranges can add up
Your organization's subscription plan may include cold search allowances
Best Practice: Plan your cold searches thoughtfully. Combine multiple investigation needs into single queries when possible, and avoid repeatedly searching the same time ranges.
Best Practices for Efficient Cold Searches
Plan Before You Search
Define exactly what you're looking for before running the query
Identify the specific time range when the event or pattern occurred
Determine which locations and hosts are relevant
Write down your search criteria to stay focused
Use Progressive Refinement
Start with a broad query to confirm data exists in your time range
Review the results to understand what's available
Refine your query with additional filters
Narrow your time range if you find the relevant period
Document Your Findings
When conducting compliance or audit searches:
Save your query parameters for future reference
Export or document relevant results
Note the time range and filters used
Keep records of when cold searches were performed
Coordinate with Your Team
Share successful query patterns with colleagues
Avoid duplicate searches by checking if someone has already searched a time range
Consolidate investigation needs to minimize redundant cold searches
Related Features
Hot Search: For searching recent and real-time logs with faster performance
Archive Management: For configuring retention policies and storage settings
Location Details: View storage usage and log statistics at
/organizations/:orgId/locations/:locationId
Need Help?
If you're unsure whether to use hot or cold search for your use case, consider:
How recent is the data? Recent logs → hot search; older logs → cold search
How quickly do you need results? Immediate → hot search; can wait → cold search
What's the time range? Last few days → hot search; weeks/months ago → cold search
For questions about your specific cold search capabilities or archive retention settings, contact your organization administrator or refer to your subscription plan details.