Deployment Architecture

Manual rollover

sdaa
Explorer

It's possible from 4.1.5 to roll over indexes manually with ./splunk _internal call /data/indexes/<index_name>/roll-hot-buckets –auth <admin_username>:<admin_password>

So it would be possible to add this as a cron job for this to appear on a weekly basis. But then you need to add a user with admin role and the password for this user in clear.

It would be nice to let splunk itself run this command from a saved search, or as an internal command. There is already an internal cron running for splunk, creating reports and searches.

Does such feature exist or on the roadmap?

gkanapathy
Splunk Employee
Splunk Employee

In general it would be desirable to do this. You can in fact create a custom search command that is passed a login token: http://answers.splunk.com/questions/6707/splunk-admin-credentials-in-scripted-input and schedule that from within Splunk.

However, to your particular point, why are you doing this? Is it for backup purposes? It's generally a bad idea to roll indexes before they're ready, as it can cause long-term degradation in search performance over the data. If you're concerned about hot buckets remaining open for too long without being backed up or closed, it would be better to set the maxHotIdleSecs to something like 86400 (1 day).

sdaa
Explorer

The purpose for my question is for backup purposes yes. I would like to have a predictable roll-over of hot buckets so I know that data in the hot buckets is no older than 7 days, as an example. The maxHotIdleSecs seems only to be working when the maxHotBuckets has been exceeded. Ie this is not predictable.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...