Deployment Architecture

indexes.conf stopping my search heads from starting.

willsy
Path Finder

hello,

i just want to confirm / clarify if what i am about to do is correct. i have read the index guides, indexes guides and cluster guides.

When my splunk multi site and clustered approach died my indexed data was no longer searchable and my search heads in particular would not turn on. it gave me a db error. i did some fault finding and effectively the homepath to my indexed data was both not writable anymore and also in the wrong place (PS architect that built the environment and put it in this specific location)

so my question....

If i change the indexes.conf file to have the location of the indexed data to
"servername/D:/Splunk/hotdb"
"servername/D:/Splunk/colddb"
"servername/D:/Splunk/thaweddb"

servername being the specific networked name of the new storage array.

will that allow me to store the data there and will it be searchable? yes i will ensure ability to write to that location.

part 2: what other specific files need to be changed on a multi site clustered indexer environment in order to make this work? i have a cluster master, license master, deployment server. 3 x indexers in each location and 1x SH in each location.

it is still in test so losing the data isnt actually a drama, i just want a correctly working area first.

part 3: due to monetary constraints the second site at the moment does not have its own data storage array and will for the moment be using the first sites storage.... when i get this storage will i then have to change the indexes.conf file on the second site to this...

"servernamesite2/D:/Splunk/hotdb"
"servernamesite2/D:/Splunk/colddb"
"servernamesite2/D:/Splunk/thaweddb"

any help is greatly appreciated.

willsy

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Firstly, moving data location by altering indexes.conf while the server is stopped is fine and should be transparent.

Secondly, I am not sure how your storage array is being presented to the operating system, but if its through an Windows share, then I am pretty sure that is not supported. Technically it may work, but you need to make sure its very quick storage. The most component for Splunk (IMHO) is having fast storage above all else.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...