topic Re: Splunk Indexes question in Splunk Enterprise Security

Splunk Indexes question

sarwshai — Mon, 23 Mar 2020 15:56:54 GMT

Hi,

1) I want to move my hot/warm bucket to cold after 90 days, is it possible to roll buckets based on time duration or only can roll volume based? Want to keep Hot and Warm for 90 days as i am using ssd for it and move it to cold in slow disk after that.

Can this setting be applied

maxHotSpanSecs = [90days]

2) Also i intend to keep hot/warm in same path and cold in another, below config is right for the same? Do i need to mention volume:
in homepath too(my hot/warm buckets should be in /opt/splunk/var/lib/splunk)?
3) Also where should be accelelarated(tstats) be stored ideally

[default]
homePath       = $SPLUNK_DB/$_index_name/db
coldPath       = volume:[cold]/$_index_name/colddb
thawedPath     = $SPLUNK_DB/$_index_name/thaweddb
tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary

Thanks in advance!

Re: Splunk Indexes question

woodcock — Mon, 23 Mar 2020 17:01:23 GMT

It is never advisable (except in the cases of legal mandates) to use TIME-based settings for hot/warm buckets. If you do, you will find that a significant portion of your FAST hot/warm space will be unused AND that you will send WAY too much time administering settings and disk volumes. Just use SIZE-based settings and keep an eye on bucketmover events to see how much is in hot/warm so that you know when you should add more disk or indexers.

Re: Splunk Indexes question

sarwshai — Tue, 24 Mar 2020 08:24:39 GMT

What's the setting for sized based rolling? Is it maxVolumeDataSizeMB
And if i mention both, who'll take the precedence?

Re: Splunk Indexes question

woodcock — Tue, 24 Mar 2020 14:20:40 GMT

Yes. That is it. If you set both, then both work independently and simultaneously.

Re: Splunk Indexes question

sarwshai — Tue, 24 Mar 2020 14:52:41 GMT

Thanks @woodcock