i just want to confirm / clarify if what i am about to do is correct. i have read the index guides, indexes guides and cluster guides.
When my splunk multi site and clustered approach died my indexed data was no longer searchable and my search heads in particular would not turn on. it gave me a db error. i did some fault finding and effectively the homepath to my indexed data was both not writable anymore and also in the wrong place (PS architect that built the environment and put it in this specific location)
so my question....
If i change the indexes.conf file to have the location of the indexed data to
servername being the specific networked name of the new storage array.
will that allow me to store the data there and will it be searchable? yes i will ensure ability to write to that location.
part 2: what other specific files need to be changed on a multi site clustered indexer environment in order to make this work? i have a cluster master, license master, deployment server. 3 x indexers in each location and 1x SH in each location.
it is still in test so losing the data isnt actually a drama, i just want a correctly working area first.
part 3: due to monetary constraints the second site at the moment does not have its own data storage array and will for the moment be using the first sites storage.... when i get this storage will i then have to change the indexes.conf file on the second site to this...
Firstly, moving data location by altering indexes.conf while the server is stopped is fine and should be transparent.
Secondly, I am not sure how your storage array is being presented to the operating system, but if its through an Windows share, then I am pretty sure that is not supported. Technically it may work, but you need to make sure its very quick storage. The most component for Splunk (IMHO) is having fast storage above all else.