Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do we change indexes.conf's cold path in a clustered Splunk environment?

jaracan
Communicator
‎10-09-2018 06:39 PM

Hi Team,

Here is our scenario:

Our current directory in our coldPath parameter in master-apps/org_all_indexes/local/indexes.conf is almost full in disk space. We are planning to change the coldPath and point it to a new directory with more disk space.

Since we have a clustered environment, it is safe to just update the coldPath parameter in master-apps/org_all_indexes/local/indexes.conf? Else, what are the factors needed to consider first to avoid unnecessary repercussions and what are the best practices to migrate cold buckets into a new directory?

0 Karma
Reply

bcyates
Communicator
‎10-11-2018 02:21 PM

Cold path or cold volume? Is your hot/warm storage and cold storage on the same partition or do they each have their own?

Judging by that app naming convention, it sounds like you had Professional Services help at some point. They should have set a parameter called maxVolumeDataSizeMB for that partition in indexes.conf. The max size should be set close to the total amount of storage available on that partition with a little bit of buffer.

Essentially, when your cold storage reaches that point, it will begin rolling the oldest data to frozen. By default, rolling to Frozen just deletes the data. If you did not specify a coldToFrozenScript or coldToFrozenDir for Frozen data, then that is what would happen.

I would not change your current cold directory. I would add a partition for Frozen data if you do not want data to be deleted, then just set the coldToFrozenDir. Or if you have no reason to retain the data, then just let Splunk roll the oldest stuff to frozen.

0 Karma
Reply

ansif
Motivator
‎10-09-2018 11:54 PM

https://answers.splunk.com/answers/478697/migrating-hotwarm-and-cold-buckets-to-separate-dri.html

The above link will be helpful for you to start.

Please let me know if you find any difficulties.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...