Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to keep all hot/warm buckets under /opt/Splunk_hot dir and cold to /opt/Splunk_cold dir.

ansif
Motivator
‎12-08-2017 01:58 AM

I want to keep all hot/warm buckets under /opt/Splunk_hot dir and cold to /opt/Splunk_cold dir.

I have updated all addons indexes.conf file by following:

[volume:splunkdb_cold]
path=/opt/Splunk_cold

coldPath =volume:splunkdb_cold/$_index_name/colddb

I could see directories created under /opt/Splunk_cold but no files are written there.

Is there any option to check if this configuration is working fine by forcing an index to roll from warm to cold?

And currently the cold dbs are under /opt/Splunk_hot/$indexname/colddb Can I move these files to /opt/Splunk_cold using mv command?

0 Karma
Reply

traxxasbreaker
Communicator
‎12-14-2017 04:17 AM

I'm curious as to whether those cold buckets still under the hot/warm path are actually searchable with that configuration, and I strongly suspect that they might not be. Can you please try running | dbinspect and see if it does show those cold buckets?

To answer your question about moving the buckets, it's probably better to move the existing cold data rather than just waiting for new data to roll to cold so all the cold buckets will be in the right place, but the fact that it created the directory structures when you applied that configuration is a good sign. You should stop the Splunk instance (one at a time and in maintenance mode if you are using indexer clustering) and move those existing cold buckets to the cold path. Or if you have the filesystem space and are more comfortable with a copy, you can use cp instead then cleanup the originals after you are sure it worked.

0 Karma
Reply

baldwintm
Path Finder
‎12-13-2017 04:43 PM

Yes, you can move the colddb from the old path to the new path. you will probably have to restart splunk on the indexer after you move them.

If you want to test this without waiting for data to roll, you can move the colddb files for one index, then restart splunk and see if the older data is searchable.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...