Does maxVolumeDataSizeMB apply to all indexes in t...

southeringtonp · ‎03-21-2011

Is Splunk smart enough to recognize that main and others are included under the primary volume even when main's path doesn't reference the volume name?

In other words, is it necessary to re-define the values of homePath and coldPath for each index, or will it automatically freeze buckets from all indexes on the partition when the value of maxVolumeDataSizeMB is crossed?

In the example below, it seems like buckets in main should start to be frozen after the total usage crossed ~3 TB, but it isn't completely clear based on the documentation here and here.

# $SPLUNK_DB = /mnt/internal
[main]
homePath   = $SPLUNK_DB/defaultdb/db
coldPath   = $SPLUNK_DB/defaultdb/colddb

# Initial indexing location
[volume:primary]
path = /mnt/internal
maxVolumeDataSizeMB = 3000000

[index2]
homePath   = primary:/defaultdb/db
coldPath   = primary:/defaultdb/colddb

sowings · ‎06-25-2013

My experience with volumes is that if you specify a volume path, and you have indexes that lie under the same path (but don't use the volume:<name> tag, Splunk will complain on startup. I believe that the complaint is words to the effect of "this index is under a volume, but not part of it, volume retention rules won't work."

As a best practice, I've always been in the habit of re-defining the homePath and coldPath of each index.

Does maxVolumeDataSizeMB apply to all indexes in the volume's path?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor