Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Manual rollover

sdaa
Explorer
‎11-12-2010 09:42 AM

It's possible from 4.1.5 to roll over indexes manually with ./splunk _internal call /data/indexes/<index_name>/roll-hot-buckets –auth <admin_username>:<admin_password>

So it would be possible to add this as a cron job for this to appear on a weekly basis. But then you need to add a user with admin role and the password for this user in clear.

It would be nice to let splunk itself run this command from a saved search, or as an internal command. There is already an internal cron running for splunk, creating reports and searches.

Does such feature exist or on the roadmap?

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-12-2010 03:49 PM

In general it would be desirable to do this. You can in fact create a custom search command that is passed a login token: http://answers.splunk.com/questions/6707/splunk-admin-credentials-in-scripted-input and schedule that from within Splunk.

However, to your particular point, why are you doing this? Is it for backup purposes? It's generally a bad idea to roll indexes before they're ready, as it can cause long-term degradation in search performance over the data. If you're concerned about hot buckets remaining open for too long without being backed up or closed, it would be better to set the maxHotIdleSecs to something like 86400 (1 day).

Reply

sdaa
Explorer
‎11-15-2010 12:23 PM

The purpose for my question is for backup purposes yes. I would like to have a predictable roll-over of hot buckets so I know that data in the hot buckets is no older than 7 days, as an example. The maxHotIdleSecs seems only to be working when the maxHotBuckets has been exceeded. Ie this is not predictable.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...