Getting Data In

Does maxVolumeDataSizeMB apply to all indexes in the volume's path?


Is Splunk smart enough to recognize that main and others are included under the primary volume even when main's path doesn't reference the volume name?

In other words, is it necessary to re-define the values of homePath and coldPath for each index, or will it automatically freeze buckets from all indexes on the partition when the value of maxVolumeDataSizeMB is crossed?

In the example below, it seems like buckets in main should start to be frozen after the total usage crossed ~3 TB, but it isn't completely clear based on the documentation here and here.

# $SPLUNK_DB = /mnt/internal
homePath   = $SPLUNK_DB/defaultdb/db
coldPath   = $SPLUNK_DB/defaultdb/colddb

# Initial indexing location
path = /mnt/internal
maxVolumeDataSizeMB = 3000000

homePath   = primary:/defaultdb/db
coldPath   = primary:/defaultdb/colddb

Splunk Employee
Splunk Employee

My experience with volumes is that if you specify a volume path, and you have indexes that lie under the same path (but don't use the volume:<name> tag, Splunk will complain on startup. I believe that the complaint is words to the effect of "this index is under a volume, but not part of it, volume retention rules won't work."

As a best practice, I've always been in the habit of re-defining the homePath and coldPath of each index.

Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...