Getting Data In

How do we change indexes.conf's cold path in a clustered Splunk environment?

jaracan
Communicator

Hi Team,

Here is our scenario:

Our current directory in our coldPath parameter in master-apps/org_all_indexes/local/indexes.conf is almost full in disk space. We are planning to change the coldPath and point it to a new directory with more disk space.

Since we have a clustered environment, it is safe to just update the coldPath parameter in master-apps/org_all_indexes/local/indexes.conf? Else, what are the factors needed to consider first to avoid unnecessary repercussions and what are the best practices to migrate cold buckets into a new directory?

0 Karma

bcyates
Communicator

Cold path or cold volume? Is your hot/warm storage and cold storage on the same partition or do they each have their own?

Judging by that app naming convention, it sounds like you had Professional Services help at some point. They should have set a parameter called maxVolumeDataSizeMB for that partition in indexes.conf. The max size should be set close to the total amount of storage available on that partition with a little bit of buffer.

Essentially, when your cold storage reaches that point, it will begin rolling the oldest data to frozen. By default, rolling to Frozen just deletes the data. If you did not specify a coldToFrozenScript or coldToFrozenDir for Frozen data, then that is what would happen.

I would not change your current cold directory. I would add a partition for Frozen data if you do not want data to be deleted, then just set the coldToFrozenDir. Or if you have no reason to retain the data, then just let Splunk roll the oldest stuff to frozen.

0 Karma

ansif
Motivator

https://answers.splunk.com/answers/478697/migrating-hotwarm-and-cold-buckets-to-separate-dri.html

The above link will be helpful for you to start.

Please let me know if you find any difficulties.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...