Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Storing Cold Database on NAS

paecon
New Member
‎08-10-2020 03:41 PM

Having trouble finding an answer for this one but is it possible to change just the cold database location to a NAS for a Windows deployment?

The System Requirements page states that we shouldn't use mapped drives "Do not index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter."

If that's the case should Volume stanza the indexes.conf use the UNC path like the following?

 

[volume:NAS]
path = \\NAS01\

[main]
homePath = $SPLUNK_DB\defaultdb\db
coldPath = volume:NAS\Database\coldDb

 

 

Any help would be much appreciated

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2024 10:47 AM

From a strictly theoretical perspective, you could store your data on any storage your OS can access. After all Splunk uses system calls to access its files so as long as it can open those files, you're "good".

But the problem is that not every storage performs equally well hence the rule of thumb about using local storage only. The "slow" storage which can be used for cold storage which is typically less often used means usually still relatively quick HDDs versus SDD recommended for hot/warm storage.

Remember that latency in accessing slow storage would have noticeable impact on overall Splunk's performance, not just those searches that access cold data.

That's one thing.

Another thing is that if you want to reach over the network for data, Splunk process must be able to access the share the data is stored on so you will definitely _not_ be able to do so running Splunk with either LOCAL_SYSTEM user or the default Splunk user.

But still, the most important thing is that you should not use NAS or NFS for Splunk storage - there is too much overhead and the latency is too high for reasonable performance.

0 Karma
Reply

Nawab
Communicator
‎02-15-2024 03:13 AM

did you get any solution?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-15-2024 07:38 AM

Hi

don’t use NAS/NFS (Not For Splunk) for storing active splunk buckets! Use only local disks not any network storage like NAS or remote computer.

Only exception could be storage for frozen buckets. And even then only when you are moving them from cold to frozen. 
r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top