Do the splunk indexers need to be stopped before rolling hot buckets to warm ?


I need to roll some hot buckets from hot to cold and I wanted to know if the splunk indexers need
to be stopped before hand ?

Why do you need to do this? Splunk will take care of this automatically, and it is best to let Splunk do it.

If you really need to make a change in how your buckets are managed, you should change your settings in indexes.conf.
However, you will still need to restart your indexers in order for the changes to take effect.

And BTW, when you restart the indexers, all hot buckets are closed and rolled automatically. if you have multiple indexers and are doing load-balanced forwarding, you should be able to restart each indexer one at a time, without affecting the indexing in any way. Of course, running searches would probably be affected. Even if you have only one indexer, you should be able to restart it cleanly, as the forwarders will cache while the indexer is unavailable.

I would NOT roll any buckets by hand. If you think you have such a severe problem that this is required, I recommend that you contact Support first.