Deployment Architecture

Manual rollover

sdaa
Explorer

It's possible from 4.1.5 to roll over indexes manually with ./splunk _internal call /data/indexes/<index_name>/roll-hot-buckets –auth <admin_username>:<admin_password>

So it would be possible to add this as a cron job for this to appear on a weekly basis. But then you need to add a user with admin role and the password for this user in clear.

It would be nice to let splunk itself run this command from a saved search, or as an internal command. There is already an internal cron running for splunk, creating reports and searches.

Does such feature exist or on the roadmap?

gkanapathy
Splunk Employee
Splunk Employee

In general it would be desirable to do this. You can in fact create a custom search command that is passed a login token: http://answers.splunk.com/questions/6707/splunk-admin-credentials-in-scripted-input and schedule that from within Splunk.

However, to your particular point, why are you doing this? Is it for backup purposes? It's generally a bad idea to roll indexes before they're ready, as it can cause long-term degradation in search performance over the data. If you're concerned about hot buckets remaining open for too long without being backed up or closed, it would be better to set the maxHotIdleSecs to something like 86400 (1 day).

sdaa
Explorer

The purpose for my question is for backup purposes yes. I would like to have a predictable roll-over of hot buckets so I know that data in the hot buckets is no older than 7 days, as an example. The maxHotIdleSecs seems only to be working when the maxHotBuckets has been exceeded. Ie this is not predictable.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...