Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Request for Guidance on Running PROD Index Servers in another site without Cold Storage

Nraj87
Explorer
Thursday

I would like to run a copy of  PROD Indexer servers’ VMs in another site (DR setup) without mapping Cold Storage, to validate environment readiness.

Could you please advise if any of the below approaches are suitable, or if there are other recommended options?

Option A -Take VM snapshot or backup copy of PROD indexers.

Deploy in test site without mounting cold storage disks.

Before starting Splunk, edit /opt/splunk/etc/system/local/indexes.conf (or deployment-specific conf path):

  • Hash out/remove coldPath entries for each index.

  • Splunk will start and treat the indexes as having only hot/warm storage.

    ========================================================================================================================================================

Option B – OPTIMISTIC_ABOUT_FILE_LOCKING = 1

  • What it does: This setting tells Splunk to ignore file lock checks during boot (commonly used on NFS mounts or shared storage).
  • Pros:
    • Indexers will start even if file locks are not available.
    • Let’s bring up DR indexers without cold storage attached.

Impact: Unknown

================================================================================================================================================================

Option C – Temporary Cold Storage + Increase maxWarmDBCount

  • What it does:
    • Attach temporary 200GB cold storage.
    • Increase maxWarmDBCount from 300 1000, which allows more warm buckets to be retained before rolling to cold.
  • Pros:
    • Keeps logs warm longer (delays need for cold storage).
    • Reduces immediate cold storage dependency during DR migration.
Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Friday

It's not obvious for me what is your goal. "Validate environment readiness" to do what? If this is a test of DR procedure, without cold you don't have full DR.

Normally you can run without cold (but you still have to have it defined) when running with SmartStore - then your hot/warm storage is hot/cache and the "cold" data is stored in Smartstore.

But you still need coldPath defined and accessible.

Of course you might point your server to an empty directory in which case you'll simply lose your previously-indexed-elsewhere data. So this is not a full DR if you do that - you've already lost much of your data.

So what is your actual use case?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Thursday

Hi @Nraj87 

Im confused by the two options B here so assume the second is option C and not an extension of the first B!

Its also worth noting that this isnt a typical way of operating Splunk - if you want a DR backup then you should look at a multisite cluster. Please see  https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/9.4/ove...for more info.

Specifically answering your question though...

Based on the docs, Splunkd does not start if an index lacks a valid 'coldPath'. therefore Option A is not possible.

Option B sounds like its using coldPath that doesnt exist - The docs suggest a 'valid' coldPath which might mean that checks are made to the paths existence, regardless of the file lock checking, therefore I do not think this would work either. 

That leaves the 3rd option (C) as the remaining viable solution. 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...