Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

indexes.conf stopping my search heads from starting.

willsy
Communicator
‎01-26-2019 11:32 AM

hello,

i just want to confirm / clarify if what i am about to do is correct. i have read the index guides, indexes guides and cluster guides.

When my splunk multi site and clustered approach died my indexed data was no longer searchable and my search heads in particular would not turn on. it gave me a db error. i did some fault finding and effectively the homepath to my indexed data was both not writable anymore and also in the wrong place (PS architect that built the environment and put it in this specific location)

so my question....

If i change the indexes.conf file to have the location of the indexed data to
"servername/D:/Splunk/hotdb"
"servername/D:/Splunk/colddb"
"servername/D:/Splunk/thaweddb"

servername being the specific networked name of the new storage array.

will that allow me to store the data there and will it be searchable? yes i will ensure ability to write to that location.

part 2: what other specific files need to be changed on a multi site clustered indexer environment in order to make this work? i have a cluster master, license master, deployment server. 3 x indexers in each location and 1x SH in each location.

it is still in test so losing the data isnt actually a drama, i just want a correctly working area first.

part 3: due to monetary constraints the second site at the moment does not have its own data storage array and will for the moment be using the first sites storage.... when i get this storage will i then have to change the indexes.conf file on the second site to this...

"servernamesite2/D:/Splunk/hotdb"
"servernamesite2/D:/Splunk/colddb"
"servernamesite2/D:/Splunk/thaweddb"

any help is greatly appreciated.

willsy

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-26-2019 09:25 PM

Firstly, moving data location by altering indexes.conf while the server is stopped is fine and should be transparent.

Secondly, I am not sure how your storage array is being presented to the operating system, but if its through an Windows share, then I am pretty sure that is not supported. Technically it may work, but you need to make sure its very quick storage. The most component for Splunk (IMHO) is having fast storage above all else.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...