Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Storing Cold Database on NAS

paecon
New Member
‎08-10-2020 03:41 PM

Having trouble finding an answer for this one but is it possible to change just the cold database location to a NAS for a Windows deployment?

The System Requirements page states that we shouldn't use mapped drives "Do not index data to a mapped network drive on Windows (for example "Y:\" mapped to an external share.) Splunk Enterprise disables any index it encounters with a non-physical drive letter."

If that's the case should Volume stanza the indexes.conf use the UNC path like the following?

 

[volume:NAS]
path = \\NAS01\

[main]
homePath = $SPLUNK_DB\defaultdb\db
coldPath = volume:NAS\Database\coldDb

 

 

Any help would be much appreciated

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2024 10:47 AM

From a strictly theoretical perspective, you could store your data on any storage your OS can access. After all Splunk uses system calls to access its files so as long as it can open those files, you're "good".

But the problem is that not every storage performs equally well hence the rule of thumb about using local storage only. The "slow" storage which can be used for cold storage which is typically less often used means usually still relatively quick HDDs versus SDD recommended for hot/warm storage.

Remember that latency in accessing slow storage would have noticeable impact on overall Splunk's performance, not just those searches that access cold data.

That's one thing.

Another thing is that if you want to reach over the network for data, Splunk process must be able to access the share the data is stored on so you will definitely _not_ be able to do so running Splunk with either LOCAL_SYSTEM user or the default Splunk user.

But still, the most important thing is that you should not use NAS or NFS for Splunk storage - there is too much overhead and the latency is too high for reasonable performance.

0 Karma
Reply

Nawab
Communicator
‎02-15-2024 03:13 AM

did you get any solution?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-15-2024 07:38 AM

Hi

don’t use NAS/NFS (Not For Splunk) for storing active splunk buckets! Use only local disks not any network storage like NAS or remote computer.

Only exception could be storage for frozen buckets. And even then only when you are moving them from cold to frozen. 
r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...