https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646380#M16543 <P>Sanity check please re: Splunk indexer remote storage configuration</P> <P>(1) Our indexers are set up in a clustered environment, and originally frozen buckets were moved to a local external location using coldToFrozenPath.</P> <P>(2) We are now trying to use a script to have all frozen buckets written to AWS, and &nbsp;the app containing the updated indexes.conf was distributed using the master node</P> <UL> <LI>Script to move / freeze buckets to AWS is working, validated again by checking date / time stamps of last written files</LI> </UL> <P>(3) However, we are STILL getting "duplicate" buckets being written to the local storage instance, even though everything SHOULD only be written to AWS</P> <UL> <LI>When looking at the pertinent indexes in the web GUI, the Frozen Path is still set, even though it has been removed completely from the deployed app's indexes.conf, and verified on the indexers in <STRONG>/peer-apps/xxxx/local/indexes.conf</STRONG></LI> <LI>Trying to manually remove the frozen path in the GUI doesn't work, "not allowed in a clustered environment"</LI> </UL> <P>(4) When trying to find out the 5W's, I've noticed that there is an <STRONG>/opt/splunk/etc/system/local/indexes.conf</STRONG> that ALSO exists on each indexer, and this version still uses the Frozen Path to the local storage.</P> <P>Question:</P> <P>Since the deployed peer-apps indexes.conf with the script does seem to be working correctly, is it safe (relative) for me to remove the /system/local/indexes.conf?</P> Fri, 09 Jun 2023 13:39:14 GMT bamflpn 2023-06-09T13:39:14Z https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646380#M16543 <P>Sanity check please re: Splunk indexer remote storage configuration</P> <P>(1) Our indexers are set up in a clustered environment, and originally frozen buckets were moved to a local external location using coldToFrozenPath.</P> <P>(2) We are now trying to use a script to have all frozen buckets written to AWS, and &nbsp;the app containing the updated indexes.conf was distributed using the master node</P> <UL> <LI>Script to move / freeze buckets to AWS is working, validated again by checking date / time stamps of last written files</LI> </UL> <P>(3) However, we are STILL getting "duplicate" buckets being written to the local storage instance, even though everything SHOULD only be written to AWS</P> <UL> <LI>When looking at the pertinent indexes in the web GUI, the Frozen Path is still set, even though it has been removed completely from the deployed app's indexes.conf, and verified on the indexers in <STRONG>/peer-apps/xxxx/local/indexes.conf</STRONG></LI> <LI>Trying to manually remove the frozen path in the GUI doesn't work, "not allowed in a clustered environment"</LI> </UL> <P>(4) When trying to find out the 5W's, I've noticed that there is an <STRONG>/opt/splunk/etc/system/local/indexes.conf</STRONG> that ALSO exists on each indexer, and this version still uses the Frozen Path to the local storage.</P> <P>Question:</P> <P>Since the deployed peer-apps indexes.conf with the script does seem to be working correctly, is it safe (relative) for me to remove the /system/local/indexes.conf?</P> Fri, 09 Jun 2023 13:39:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646380#M16543 bamflpn 2023-06-09T13:39:14Z https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646396#M16544 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/257591">@bamflpn</a>,</P><P>The peer-apps/xxx/local directory has higher precedence than etc/system/local on indexers.</P><P>(see docs:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only" target="_self">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles#Precedence_within_global_context.2C_indexer_cluster_peers_only</A>)</P><P>To confirm the location of the setting that's overwriting your&nbsp;<SPAN>coldToFrozenPath, you can run btool on your indexers:</SPAN></P><LI-CODE lang="java">./splunk btool indexes list --debug | grep coldToFrozenPath</LI-CODE><P>&nbsp;</P><P>That should print out each line of all indexes.conf on the host that contribute to the final indexes config for the coldToFrozen option.</P><P>Find the line that has the wrong value and that's the file that you should update.&nbsp;</P><P>&nbsp;</P><P>If you want to delete the system/local/indexes.conf file you should first check what it's doing.</P><P>To see what other config is being used from system/local/indexes.conf you can run:</P><LI-CODE lang="markup">./splunk btool indexes list --debug | grep system/local</LI-CODE><P>Any config that is listed will be applied to that indexer from the system/local/indexes.conf file. Either move the config to a peer-apps app, or just remove it if you don't need it.</P><P>&nbsp;</P><P>Cheers,<BR />Daniel</P> Fri, 09 Jun 2023 00:22:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646396#M16544 danspav 2023-06-09T00:22:33Z https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646660#M16562 <P>Sir:</P><P>Perfect, thank you very much.&nbsp;&nbsp;</P><P>Comparing the grep'ed results for system/local coldToFrozenDir vs peer-apps coldToFrozenScript showed me the ones I missed.&nbsp;</P> Mon, 12 Jun 2023 13:27:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sanity-check-on-Indexer-cluster-with-differing-peer-apps-indexes/m-p/646660#M16562 bamflpn18 2023-06-12T13:27:10Z