All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reducing rentention costs, archiving frozen buckets, running multpiple instances

sbsbb
Builder
‎04-17-2013 04:09 AM

Because the SAN Space is pretty expensive, we are only keeping the Data in Splunk 2 months.

Is it possible to have
- One instance from Splunk on the SAN for normal search (first 2 months)
- One instance on old Hardware, that reuse frozen buckets from the first instance (from 2 until 12 month old)
- The first instance beeing able to search in the two instances...

Or would it be possible to move all frozen bucket from the culstered indexer, to a "slow" indexer withou SAN ? (That would be my favorit solution, if possible)

I guess the drawback from shuttl is that I can't only search on the messages I want to see, I have to reload all the timerange needed in splunk ?

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-17-2013 05:27 AM

For each index, you can specify different locations for the buckets. You can set the hot/warm buckets to the SAN storage, and the cold/frozen buckets to the "slow" storage.

Indexes.conf:

[volume:fastSan]
path = /path/to/fast/san

[volume:slowSan]
path = /path/to/slow/san

[myindex]
homePath = volume:fastSan/myindex/db
coldPath = volume:slowSan/myindex/colddb
coldToFrozenScript = /MUST HAVE THIS TO MOVE THE DATA

Reply

sbsbb
Builder
‎04-17-2013 11:18 PM

Thats my case... so what are the alternatives ?

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-17-2013 05:57 AM

See here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Usemultiplepartitionsforindexdata. While they recommend keeping it all on one file system, you can split it up. UNLESS you are using clustering. Then you should keep hot/warm/cold on fast SAN.

0 Karma
Reply

sbsbb
Builder
‎04-17-2013 05:53 AM

In the Splunk doc, there is somewhere a documentation that the warm and cold buket have to be on a medium with similar characteristic (not slower for cold...)

So it would be better to move data from a fastIndex to a slow index ... ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...