Solved: Can you set a maximum hot index size globally?

responsys_cm · ‎05-24-2012

We would like to use a combination of solid state drives for the hot index and slower, cheaper disk for the warm/cold buckets. Is there a way to tell Splunk that the total size of all hot indexes should not exceed a certain size and roll events when that size is reached?

Thanks.

Craig

_d_ · ‎05-24-2012

You can make use of volume notation in indexes.conf for hot and warm. Note that hot and warm should be on the same path. As usual, there is more info here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/indexesconf

indexes.conf

[volume:hot1] path = /mnt/fast_disk maxVolumeDataSizeMB = 100000

[volume:cold1] path = /mnt/big_disk

[idx1] homePath = volume:hot1/idx1 coldPath = volume:cold1/idx1

[idx2] homePath = volume:hot1/idx2 coldPath = volume:cold1/idx2

Hope it helps

please upvote if you find this answer useful

View solution in original post

_d_ · ‎05-24-2012

You can make use of volume notation in indexes.conf for hot and warm. Note that hot and warm should be on the same path. As usual, there is more info here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/indexesconf

indexes.conf

[volume:hot1] path = /mnt/fast_disk maxVolumeDataSizeMB = 100000

[volume:cold1] path = /mnt/big_disk

[idx1] homePath = volume:hot1/idx1 coldPath = volume:cold1/idx1

[idx2] homePath = volume:hot1/idx2 coldPath = volume:cold1/idx2

Hope it helps

please upvote if you find this answer useful

Can you set a maximum hot index size globally?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation