Deployment Architecture

Setting different Locations for Home and Cold storage

Communicator

We are trying to set two separate locations to store hot/warm and cold indexes. We see the $splunk_db field value in the splunk-launch.conf file currently it is set to SPLUNK_DB=E:\Splunkdata\Indexes. So for a entry in indexes.conf could we do the following:

Current Setting:

[akamai]
coldPath=$SPLUNK_DB\akamai\colddb
homePath=$SPLUNK_DB\akamai\db
thawedPath=$SPLUNK_DB\akamai\thaweddb
frozenTimePeriodInSecs=7776000

What we hope to do:

[akamai]
coldPath=F:\Splunkdata\Indexes\akamai\colddb
homePath=E:\Splunkdata\Indexes\akamai\db
thawedPath=$SPLUNK_DB\akamai\thaweddb
frozenTimePeriodInSecs=7776000

we want to store the home path on dedicated storage on drive E and the cold on SAN storage drive F. Is the above possible?

Alternatively could we set something like the below up in splunk-launch.conf:

SPLUNK_DB=E:\Splunkdata\Indexes
SPLUNK_DB_01=F:\Splunkdata\Indexes

and in indexes.conf have the following:

[akamai]
coldPath=$SPLUNK_DB_01\akamai\colddb
homePath=$SPLUNK_DB\akamai\db
thawedPath=$SPLUNK_DB\akamai\thaweddb
frozenTimePeriodInSecs=7776000

Is either of these two methods possible? Is one recommended?

Tags (3)
0 Karma

Motivator

yes that's what I meant. Currently your paths just show up as one long string with no way of telling where they are new sub-directories.

Example:
you have: thawedPath=$SPLUNK_DBakamaithaweddb
I'm guessing it should be: thawedPath=$SPLUNK_DB\/akamai\/thaweddb

0 Karma

Communicator

What do you mean "escape" the slashes like "/" or do you mean something else?

0 Karma

SplunkTrust
SplunkTrust

In general, putting hot/warm and cold on two different storage volumes is possible and fairly common. You could say that's a main purpose of having warm and cold separated.

I'm not 100% certain whether Splunk will recognize custom additional variables or not, just give it a shot with a temporary testing index. If that works then you should use the variable to simplify changes.

0 Karma

SplunkTrust
SplunkTrust

A fully qualified path will always work, you should test using a second variable though if you expect a large number of settings to be based on that. Otherwise you will have maintenance hell down the road.

0 Karma

Communicator

Yes but how do we do that? Can we just use the fully qualified path to the directory?

0 Karma

Motivator

You may want to edit your question and escape your slashes so that they appear in your post and make your configurations much more readable

0 Karma