Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens if the cold mount becomes unavailable?

maciep
Champion
‎10-09-2015 05:12 AM

We've been informed that the cold mount on half of our indexers needs to be moved to a different file system. And for that to happen there will be a downtime of about an hour when it needs to be unmounted from our indexers.

I'm assuming that Splunk won't like that. But does anyone know what exactly would happen if that cold path becomes unavailable? Does Splunk just queue up those buckets that need to be rolled from warm to cold? Or does it handle less gracefully? Does replication start breaking too maybe?

Our initial thought was just to put the cluster in maintenance mode and take those indexers offline during the downtime. But we'll ingest a decent amount of data in an hour, so if we could keep the indexers up to receive new data, that would be ideal.

Anyone insight would be helpful. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-11-2015 12:52 PM

Hi maciep,

find the answer regarding the move to cold here http://answers.splunk.com/answers/287056/if-my-coldtofrozendir-is-full-or-unavailable-do-i.html
Regarding the replication; this should not be effected at all (anyone correct me if I'm wrong!)

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-11-2015 12:52 PM

Hi maciep,

find the answer regarding the move to cold here http://answers.splunk.com/answers/287056/if-my-coldtofrozendir-is-full-or-unavailable-do-i.html
Regarding the replication; this should not be effected at all (anyone correct me if I'm wrong!)

cheers, MuS

Reply
Solved! Jump to solution

maciep
Champion
‎10-11-2015 05:37 PM

Thanks! I think we have plenty of disk space on our hot/warm mount to allow Splunk to keep running. If we decide to go that way, then I'll definitely follow up here with how it went.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎10-15-2015 06:26 AM

The change was made last night. All that I did was put the cluster in maintenance mode. I think if the master would have seen all cold data disappear from half or our indexers, it would have tried to clean things up. I'm not sure if that was necessary, but wasn't going to take a chance otherwise.

Looking in the logs on the servers that lost their cold path, I see a lot of these messages. They start at the time of the change and they stop after the share was remounted. That was it. 

10-14-2015 19:34:05.437 -0400 WARN  DatabaseDirectoryManager - Directory='/[path to cold]/[some bucket]' does not exist.  The directory representing this bucket might have just rolled.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...