Deployment Architecture

Splunk Newbie: Configuring hot and cold storage on 2 separate volumes (AWS)

New Member

Using Splunk Enterprise 6.5.3

I have recently downloaded Splunk Enterprise on an AWS linux instance and have mounted a fast volume and and a large storage volume. These are the following folders, with test1 as the index name:

The fast volume has a mountpoint of /data/hot and large storage as /data/cold.
I've added "SPLUNK_DB=/data" in the /etc/environment file and the /opt/splunk/etc/splunk-launch.conf file

I copied over the buckets from /opt/splunk/var/lib/splunk/defaultdb/ to these new folders:
sudo cp /opt/splunk/var/lib/splunk/defaultdb/db /data/hot/test1/
sudo cp /opt/splunk/var/lib/splunk/defaultdb/colddb /data/cold/test1/
sudo cp /opt/splunk/var/lib/splunk/defaultdb/thaweddb /data/cold/test1/

So now the following folders exist:

The problem is I've created a custom indexes.conf file in /opt/splunk/etc/local/indexes.conf and what I want it to do is at a certain size move the data from hot to warm and when it reaches a certain time, move to cold storage. I've gone through the documentation, edited this file a whole bunch of times (and restarted it after edits) and I still cannot figure out how I can move this data between buckets. I've also read in some places that you cannot move from warm to cold by time, which in that case, how would you do it by size?

I've tested by uploading a zip file to the Splunk service on :8000. This then creates a hot bucket on /data/hot/test1/db/hot_v1_0 After I restart the service, this then converts this hot bucket to a warm bucket (I'm assuming) on /data/hot/test1/db/db_mostrecenteventtime_latesteventtime). A prerequisite was also to create a new index on the web interface called test1 for Splunk to be able to store it there, where I've added the /data/hot etc and /data/cold etc directories.

As I'm new to Splunk I'm not 100% sure if that's how it can work, so if anyone can help on this issue/ explain Splunk to me, that would be greatly, greatly appreciated!

0 Karma

Ultra Champion

Hello Chrisdarn,
it is not exactly clear to me if the folders exists are created by the index or by you.
in any case, lets assume i created 2 directories:
I will use indexes.conf to create the index, lets call it bob with its directories and rules.
an explanation for each config is under each line:

homePath   = /hotWarm/buckets/directory/bob/db
#where hot buckets will be written to.
coldPath   = /cold/buckets/directory/bob/colddb
#where cold buckets will be written to.
thawedPath = /cold/buckets/directory/bob/thaweddb
#An absolute path that contains the thawed (resurrected) databases for the  index 
homePath.maxDataSizeMB = 4000
# sets the size limit for the hotWarm folder
coldPath.maxDataSizeMB = 6000
# sets the size limit for the cold folder
maxTotalDataSizeMB = 10000
# total size of the index (hotWarm + cold)
maxDataSize = auto
# The maximum size in MB for a hot DB to reach before a roll to warm is  triggered
frozenTimePeriodInSecs = 103680000
# Number of seconds after which indexed data rolls to frozen 

full details on indexes.conf and more examples, here:

hope it helps

0 Karma

New Member

Thanks for the help so far. All the folders in /opt/splunk and its subdirectories were there when I first installed Splunk Enterprise. I've just copied these buckets and put them in my own volume.

0 Karma

Ultra Champion

hmm, it means that splunk will still write to old location.
you have to tell splunk where to write the data too
i will highly suggest not to just copy buckets from place to place regardless.

0 Karma

New Member

Okay I will note that for future reference. Where would I configure where to write the data to? I created an index on the Web UI to point to these new locations if that's what you mean.

0 Karma

Splunk Employee
Splunk Employee

Here's a fun, but unsupported tool!

You can slide the sliders around to lay out what you'd like Splunk to do, and it'll give you configuration stanzas to apply to indexes.conf

It's unsupported because it's not written/controlled by us. But it's usually pretty accurate.

0 Karma

New Member

Thanks for the link. I will try and see if this helps.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...