Archive

What are these db_* files in the index directory? Can these be safely moved somewhere else without restarting Splunk?

Path Finder

Hi,

In one of my index directories:

CreationTime
db142830827514205322891
db
143209780014283082910
db143286305314320977882
db
143383313714328630543
db143478993314338331394
db
143571756414347899375
db143582039614357175656
GlobalMetaData
hot
v17
hot
v1_8

What are all those db_* files? Are they warm data? Can these be moved safely to somewhere else without restarting Splunk? They are filling up my server space.

thanks

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Just a small side note: looks like you can move them away without Splunk throwing errors, but still they are afterwards no longer searchable and I would not relay on that it is safe at all to do so in a production environment.

0 Karma

Path Finder

Hi thanks. In that case, if I wish to search for old data, i can just stop splunk, move back these archived warmed buckets, restart splunk and it will be searchable again, right? thanks

0 Karma

SplunkTrust
SplunkTrust

There is no need to do this manually, Splunk can to this for you 😉
In indexes.conf set the COLDDB path and also the warmToColdScript after that, Splunk will move the buckets ( after the frozenTimePeriodInSecs) from WARMDB to COLDDB and your data is still searchable.

Path Finder

thanks, i can do this. However my problem is disk space. Can I say that after I do the above steps, I can move the whole directory called "COLDDB" to elsewhere without stopping splunk? thanks

0 Karma

SplunkTrust
SplunkTrust

simply but the COLDDB on a different volume, disk, file system and Splunk will move it for you.

Path Finder

oh ok. like a SAN disk or something. Got it. Thanks.

0 Karma