Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Shuttl: how does it really work?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm experiencing some difficulties in using Shuttl app, though I guess I'm doing things the right way.
I installed the app yesterday and exported to CSV an entire index without issues. Only one bucket remained in Splunk, but it contains a single event so I didn't really bother.
Today I used Shuttl to archive to more indexes: with the same settings used yesterday, I was able to only archive 3 buckets of the first index and none of the second. I tried multiple configurations of my indexes.conf file, but the only enhancement I've had is that I was able to archive ten more buckets of the first index.
My indexes.conf is configured as follows:
[main]
homePath = /splunk2/indexes/defaultdb/db
coldPath = /splunk2/indexes/defaultdb/colddb
thawedPath = /splunk2/indexes/defaultdb/thaweddb
rotatePeriodInSecs = 10
maxWarmDBCount = 0
maxDataSize = 1
warmToColdScript = $SPLUNK_HOME/etc/apps/shuttl/bin/warmToColdScript.sh
coldToFrozenScript = $SPLUNK_HOME/etc/apps/shuttl/bin/coldToFrozenScript.sh
My need is to dump the whole indexes in CSV files in order to export them in an older Splunk installation (job for which this app works really good).
Any suggestion would be appreciated.
Also, a functionality doubt: does Shuttl archive buckets when they switch from warm to cold or from cold to frozen?
Regards,
Stefano
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found my issue: Shuttl uses a temporary folder (default set ~/shuttl_archiver) and on my server, /home partition was set to a very low size.
So, archiving an entire index saturated the filesystem and I solved creating a symbolic link to my NAS mounted under /splunk2.
Hope this could help anyone else who's having problems with Shuttl.
Regards,
Stefano
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Stefano, that is exactly correct!
File transfer happens in the following steps:
1) Shuttl will move the file from the colddb dir to a local tmp (defined via localArchiverDir in conf/archiver.xml)
2) Shuttl will then copy the file from localArchiverDir to a tmp area at the destination
3) When the transfer completes, it then will move the file from that area to the final destination
4) Files in the local tmp are deleted when transfers are successful
This mechanism gives us the necessary reliability to handle crashes, network interruptions, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found my issue: Shuttl uses a temporary folder (default set ~/shuttl_archiver) and on my server, /home partition was set to a very low size.
So, archiving an entire index saturated the filesystem and I solved creating a symbolic link to my NAS mounted under /splunk2.
Hope this could help anyone else who's having problems with Shuttl.
Regards,
Stefano
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
