When I tried to install Splunk Enterprise, I noticed that Splunk doesn't like ZFS. Given that MongoDB works just fine on top of ZFS, what do I need to do to get it working?
Here is what I get when I run locktest:
/opt/splunk/bin/locktest Could not create a lock in the SPLUNK_DB directory. Filesystem type is not supported: buf.f_type = 0x2fc12fc1 If supporting this filesystem type is important to you, please file an Enhancement Request with Splunk Support with the fs info number listed.
PS: No, I do not want to create a fs on top of another fs.
Splunk does support ZFS on Linux as of 6.4.0.
EDIT 10/1/17: This was actually a mistake, and should not have been added to the docs for 6.4.0 or any other Splunk version.
In the meantime I tried three things:
Even though the second alternative works, I am not so sure how this will work out in terms of stability and performance. I am now going with the third alternative, and I am quite happy that I don't need to kludge around with nfs.
Spent almost an hour googling and inventing various workarounds... And then I finally found your post. Wouldn't hurt if this simple solution was somewhere more... visible on the splunk website...
Unfortunately at this time there's no plans in have Splunk running on Linux ZFS. As Nnmiller mentioned, you may want to file an enhancement request.
In addition, your attempts at working around the testing will still cause issues if you have to open a case with Support - please use a supported file system..
I've been running splunk for years now on ZFS, using many terabytes of disk.
This may be off topic.
I've tested both btrfs and zfs. The version of btrfs I was running (albeit this was a few years ago, maybe fixed?) had massive problems when I tried it with auto snapshot turned on a heavily loaded system. None of those problems existed with zfs.
Even through btrfs is officially supported now, I recommend against it. ZFS with lz4 works very well.
You should submit an enhancement request to support through your Splunk entitlement account rather than via posting to answers.
Short of Splunk adding support for ZoL, Splunk Enterprise is available for Solaris 10 and 11 on x64 hardware. It should also run fine on on OmniOS or other Illumos-based distributions, though I doubt Splunk will offer support if you have issues on these distributions.
I heard that ZFS on Linux gets added for the Linux platform in an upcoming release, likely in early 2016.
Solaris, Smartos and Illumos: Yes, those were the days... 😉