Deployment Architecture

Cold bucket on remote/flash drive for windows os

ips_mandar
Builder

Hi I am using Splunk on Windows OS
and I want to store hot/warm buckets on local storage and cold buckets on flash shared storage
so to access this flash shared storage do I require to install splunk with domain account?
because it seems it can not access mapped network drive when I install splunk with local account.
can you help with example or documentation to refer.
Thanks,

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @ips_mandar,
No, you need to install Splunk only on Indexers.
if your flash shared storage is seen by Windows as a drive (e.g. D:) you can configure in your indexes.conf this path for cold buckets:

coldPath = D:\splunk_db\my_index_name\colddb

Obviously you know that using a network resource, you could have slow response times.

Ciao
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ips_mandar,
No, you need to install Splunk only on Indexers.
if your flash shared storage is seen by Windows as a drive (e.g. D:) you can configure in your indexes.conf this path for cold buckets:

coldPath = D:\splunk_db\my_index_name\colddb

Obviously you know that using a network resource, you could have slow response times.

Ciao
Giuseppe

0 Karma

ips_mandar
Builder

thanks @gcusello.
I have mapped shared drive with name"B" which I am able to access in file explorer then while creating new index I enter B drive path for coldpath but it gives me error- "The system cannot find the path specified" and unable to save.
1. so I thought I need to install splunk using domain account so that it can access mapped drive?
2. also regarding response time, if IOPS are high then does it still have slow response time?
3. Is there any better way to store cold buckets on separate drive instead of local drive?

0 Karma

ips_mandar
Builder

@gcusello,
Any thoughts on above query....It would be great help for me.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ips_mandar,
I don't think that's needed a domain account but surely you have to give to the user used to run Splunk all the grants to access B: drive.

About response time, high IOPS means that you have quicker response time in your searches than slow disks (e.g. NAS), instead if you have data accessed by many searches in remote disks you'll have higher response times.
For this reason, you should analyze what's the time period of the most searches in your Splunk and increase the retention time of warm data (those stored on fast disks), in this way slow searches will be less and the most response time will be fast because they use the fastest disks.

About the third question, usually older data is stored in less valuable storage even if it indicates that searches on this piece of data will be slower, your solution is one of them and should be OK, usually I saw NAS.

Only one additional hint, analyze deeper the operative system of your Splunk servers: I never saw large Splunk infrastructure based on Windows!

Ciao.
Giuseppe

0 Karma

ips_mandar
Builder

Thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

You're welcome.
Ciao and next time!
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...