Re: How do i configure a Splunk cold data path for...

enmanu · ‎11-07-2018

I currently have 4 indexers. I have a new mount drive that I am trying to send Splunk cold data to.

[volume:cold]
coldpath = /mnt/splunk_cold

Please can anyone explain how I can set this stanza in the cluster master (master app) for each individual indexers? Since the slave app has a higher precedence the system/local...

sudosplunk · ‎11-08-2018

I configured the volumes as follows:

Create a directory (called as an app in splunk world) for example index_definitionsunder $SPLUNK_HOME/etc/master-apps

Create a local directory under index_definitions and place indexes.conf file here with below stanzas for defining volumes,

# VOLUME Settings - One volume for hot/warm , one for cold
[volume:hotwarm]
path = /mnt/splunk_hot

[volume:cold]
path = /mnt/cold

# INDEX settings 
[index1]
homePath   = volume:hotwarm/index1/db
coldPath   = volume:cold/index1/colddb
thawedPath = $SPLUNK_DB/index1/thaweddb

[index2]
homePath   = volume:hotwarm/index2/db
coldPath   = volume:cold/index2/colddb
thawedPath = $SPLUNK_DB/index2/thaweddb

Once you have everything in place with right settings, push the bundle to indexers. On cluster master run the command /splunk/bin/splunk apply cluster-bundle -auth admin:password --answer-yes

NOTE: You should also have other mandatory settings in addition to above. Please refer to indexes.conf for more detailed explanation.

How do i configure a Splunk cold data path for separate indexers(peers) in an indexer cluster?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann