Deployment Architecture

Indexer colddb filesize increase- Will this cause issues?

Sudarshan77
Observer

Lets say my colddb space is 15TB  and volume datasize is 20TB as below (indexer.conf) what will be issues it may cause ? or it is ok ?

 

df -h | grep sde

sde 8:64 0 32T 0 disk
 -sde1   8:65 0 15T 0 part /apps/splunk/colddb

 

On the Indexer Cluster Master server : 

vi /apps/splunk/etc/master-apps/fmrei_all_indexes_frozen/local/indexes.conf

[volume:secondary]

path = /apps/splunk/colddb

maxVolumeDataSizeMB = 20000000

 

Labels (2)
0 Karma

Sudarshan77
Observer

Thanks @isoutamo . Agree. 
But will be any significant problem , if i define "maxVolumeDataSizeMB" more than  "/apps/splunk/colddb" ?

FS >> /apps/splunk/colddb = 15 TB
Indexes.conf >> maxVolumeDataSizeMB = 20 TB

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If/when sum(all indexes cold.path.size) < max vol size then probably no, but I suppose that this in not reality! When sum(size of all indexes cold path) > max vol size - 5000 your node stop indexing until you make more time for it.

So you really should keep that max volume size enough low (less than FS size - 5+%) to take the advantage of use volumes. Otherwise there is no sense to use those. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

when you have define correctly volume max size then there isn’t any issues. You should check size by “df -BM /path/to/volume” and you will get size as MB. You should leave some space free for filesystem, never set max size as FS size! If/when you have heavy traffic you need to have time for bucket housekeeping , otherwise your indexing could stop when FS becomes full. Also FS need some space for its internal “stuff”. Usually that should be 5-15%.
r. Ismo

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...