Deployment Architecture

How do i manually roll buckets in 4.1?

Chris_R_
Splunk Employee
Splunk Employee

How do i manually roll buckets in 4.1? The old method

./splunk search "| debug cmd=roll index=main"

does not work as expected, in fact it does not do anything....

Tags (2)
1 Solution

Chris_R_
Splunk Employee
Splunk Employee

4.1 introduced new CLI commands, one of them is the "rolling buckets to warm" command.
Use

$SPLUNK_HOME/bin/splunk _internal call /data/indexes/main/roll-hot-buckets

Replace "main" For the index you wish to roll, and enter in admin level credentials. You should run this when Splunk is up and running.

View solution in original post

Chris_R_
Splunk Employee
Splunk Employee

4.1 introduced new CLI commands, one of them is the "rolling buckets to warm" command.
Use

$SPLUNK_HOME/bin/splunk _internal call /data/indexes/main/roll-hot-buckets

Replace "main" For the index you wish to roll, and enter in admin level credentials. You should run this when Splunk is up and running.

zliu
Splunk Employee
Splunk Employee

/splunk/bin/splunk _internal call /data/indexes/main/roll-hot-buckets
/splunk/bin/splunk _internal call /data/indexes/access/roll-hot-buckets

0 Karma

the_wolverine
Champion

You can contact docs@splunk.com for any docs issues.

0 Karma

Chris_R_
Splunk Employee
Splunk Employee

Bunnyhop, expected results will be any hot_v_n(read/write) buckets you have in your index will be rolled into a warm db_n_n_n(read only)
Primary purpose of this is to prepare your system for backups.
Doc updates will be coming shortly as well.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Awesome, I was trying to edit the debug processor to not emit errors on success. Would have been cool if anyone had told me it was being axed for 4.1 anyway.

0 Karma

BunnyHop
Contributor

BTW, who in the org is in charge of documentation? I believe this process/procedure (debug cmd ...) is still in the 4.1 documentation for forcing bucket rolling.

0 Karma

BunnyHop
Contributor

What's the expected result of this? It doesnt seem to perform the expected function.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...