Getting Data In

How do I pause indexing?

talbot7
Path Finder

I would like to pause indexing when I reach 95% of my license. I have the Nagios check built, I just need the command to pause indexing.

Tags (3)
0 Karma

yannK
Splunk Employee
Splunk Employee

To stop indexing, you could change the minFreeSpace in server.conf, But it may also stop searches.
see http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Serverconf
`
[diskUsage]

minFreeSpace =
* Specified in megabytes.
* The default setting is 2000 (approx 2GB)
* Specifies a safe amount of space that must exist for splunkd to continue operating.
* Note that this affects search and indexing
* This is how the searching is affected:
* For search:
* Before attempting to launch a search, splunk will require this
amount of free space on the filesystem where the dispatch
directory is stored, $SPLUNK_HOME/var/run/splunk/dispatch
* Applied similarly to the search quota values in
authorize.conf and limits.conf.
* For indexing:
* Periodically, the indexer will check space on all partitions
that contain splunk indexes as specified by indexes.conf. Indexing
will be paused and a ui banner + splunkd warning posted to indicate
need to clear more disk space.
`

0 Karma

talbot7
Path Finder

I was thinking about taking that once step farther and having different indexers for each environment.

0 Karma

yannK
Splunk Employee
Splunk Employee

What about having each forwarder deployment sending to a different splunktcp port, then you can disable a specific port at a time to block the forwarders.
They will queue, then pause. and restart once the port reopen.

0 Karma

talbot7
Path Finder

Our average data is only 50% of our license, so we normally have no problems catching up.

0 Karma

kristian_kolb
Ultra Champion

So you're just pushing the problem ahead of you until there are days that go below the limit, so you can then catch up on the backlog (no pun intended)

0 Karma

talbot7
Path Finder

Yes, I do understand the hypocritical problems with my customers... 😞

I can get away with an indexer reboot (sometimes). The search heads are different boxes.

Loose data?! HAHAHAHAHAHA. We have forwarders on all systems, and never loose any data. Splunk is real good about catching up the next day when we turn the indexer back on.

0 Karma

kristian_kolb
Ultra Champion

Ok so you have a tricky problem. You have some customers that need access to their data - and they cannot accept downtime (for searches?). But they have no problems with you throwing away their logs once the license is 95% full!?!

Sounds like you need a bigger license. The customers should be happy to pay for it, given the circumstances...or am I missing something.

talbot7
Path Finder

Having iptables drop anything on 9998 does not effect established sessions.

I wound up editing inputs.conf and restarting the indexer. Only a few customers noticed.

There has got to be a clean way of doing this, with out using iptables or restarting Splunk.

0 Karma

kristian_kolb
Ultra Champion

sorry, are you saying that the forwarder->indexer traffic (i.e. logs) changes ports from what you've defined in inputs.conf (on the indexer) and outputs.conf (on the forwarder)??? I didn't think that was possible.

I still don't.

You should be able to either block it in the local fw on the indexer or edit inputs.conf on the indexer and restart it. (as yannk says)

Also, as for restarting a production environment. You lose 2 minutes of searchability for the restart as opposed to losing 1 day to get a license reset key....

talbot7
Path Finder

Cant block the port with iptables.

"All traffic is sent from forwarders on port 9998 (SSL). Once a connection is established, it moves to some random high level port. If it just stayed put, I would kill it with IPTables."

I am trying to build the automated approach (Not the manager). But for now, that will have to do.

0 Karma

yannK
Splunk Employee
Splunk Employee

so close the input port using the manager !
or block the port using iptables...

talbot7
Path Finder

Tried that:
[root@splk01 bin]# ./splunk set minfreemb 200000
You need to restart the Splunk Server (splunkd) for your changes to take effect.

Restarting the production environment it still not an option 😞

0 Karma

yannK
Splunk Employee
Splunk Employee

Disable the inputs or shutdown splunk.

An alternative is to setup a nullQueue filtering rule and turn it on to trash all your events.

see http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Routeandfilterdatad#Keep_specific_events_an...

0 Karma

yannK
Splunk Employee
Splunk Employee

Splunk do not throttle the indexing when the license is excessed, it keeps indexing but disable the search.
If you are an enterprise customer, you can go over, and once you have 5 days of warnings ask for a reset key.

To stop a listening port, just edit inputs.conf and disable the input ans restart to reload.

0 Karma

talbot7
Path Finder

I have filters in place sending garbage data to nullQueue. Cant shutdown splunk, customers will get upset.

Cant seem to disable the input from the command line:
[root@splk01 bin]# ./splunk disable listen -port 9998
In handler 'cooked': Could not find config id for port 9998

All traffic is sent from forwarders on port 9998 (SSL). Once a connection is established, it moves to some random high level port. If it just stayed put, I would kill it with IPTables.

I know there is a clean way to do this. Splunk does it when it runs low on disk space.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.