Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens when maxVolumeDataSizeMB parameters will be decreased?

mkelderm
Path Finder
‎02-03-2014 11:01 AM

Hi,

Our maxVolumeDataSizeMB parameter for the warm-bucketss is set to 1.9 TB. What happens if I set this parameters to 1.5 TB? Will the warm-buckets moved to cold after the restart?

Greetz,

Marc

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-03-2014 11:15 AM

The non hot buckets containing the oldest events will be frozen to meet the requirement.

Will the warm-buckets moved to cold after the restart

NO, they will be frozen (i.e. deleted if no frozen location or script is defined) not moved from warm to cold.

View solution in original post

Reply
Solved! Jump to solution

akira_splunk
Splunk Employee
Splunk Employee
‎06-09-2017 01:15 PM

I can say from recent experience in 2017 on Splunk 6.5 that the buckets will roll from warm to cold, even if the cold volume and warm volume are the same.

One of my customer had their warm maxVolumeDataSizeMB set to 1.5TB, and their cold maxVolumeDataSizeMB also set to 1.5TB. However, they only had 1.5TB of disk space available, TOTAL!

We reduced the maxVolumeDataSizeMB for both hot and cold to 725GB each. Upon deploying the bundle from the cluster master, through the monitoring console, we can instantly see the warm bucket size and usage decrease to 725GB, and the size of the cold bucket increase to 725GB. We also validated by looking at the filesystem on one of the indexers.

The old data was NOT frozen!

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-03-2014 11:15 AM

The non hot buckets containing the oldest events will be frozen to meet the requirement.

Will the warm-buckets moved to cold after the restart

NO, they will be frozen (i.e. deleted if no frozen location or script is defined) not moved from warm to cold.

Reply
Solved! Jump to solution

akira_splunk
Splunk Employee
Splunk Employee
‎06-09-2017 01:03 PM

I can say from recent experience in 2017 on Splunk 6.5 that the buckets will roll from warm to cold, even if the cold volume and warm volume are the same.

A customer maximized their disk space, and the indexer stopped writing to disk. They reduced the maxVolumeDataSizeMB setting on the cluster master, and redeployed the bundle to the indexers. Through the monitoring console, we can instantly see the warm bucket size and usage decrease, and the size of the cold bucket increase usage increase. We also validated by looking at the filesystem.

The old data was NOT frozen!

Reply
Solved! Jump to solution

kylekoza
Explorer
‎03-24-2015 03:25 PM

This seems to contradict you.

When a volume containing warm buckets reaches its maxVolumeDataSizeMB, it starts rolling buckets to cold. When a volume containing cold buckets reaches its maxVolumeDataSizeMB, it starts rolling buckets to frozen. If a volume contains both warm and cold buckets (which will happen if an index's homePath and coldPath are both set to the same volume), the oldest bucket will be rolled to frozen.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Indexer/Configureindexstoragesize#Configure_index_...

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-03-2014 12:09 PM

oops. 2nd part of the dirname, but the 1st epoch. my bad. corrected above already.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-03-2014 12:08 PM

You need to define a frozen path, so that splunk knows where to put them (and not delete them). However, once they are frozen, they are no longer searchable, as only the raw data, and not the tsidx files are retained.

You can figure out which of the buckets that are likely to be frozen.

This will require that you find the size reduction / bucket size number of buckets and move them manually. In your case that could be (400 GB / 10 GB) ~40 buckets, but you should probably take a few more. Take the 50 buckets with the lowest values of X, where X is the 1st epoch timestamp part of the dirname

0 Karma
Reply
Solved! Jump to solution

mkelderm
Path Finder
‎02-03-2014 11:46 AM

Can I find out wich buckets are frozen and move them to cold?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...