What is the best way to deal with my buckets when migrating the Splunk_DB of a index to another drive?
Hello, Splunk Professionals,
I am planning to change the path of my index(name is "abc") DB to another drive, because the amount of volums is going to be full.
My envirnment is All-in-on on Windows server and v7.x . And I see these doc to build a plan.
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Moveanindex
But I am concerned the following thing.
Does anyone have an advice or knowledge related with them?
I really appreciate any comments.
2.Is it possible to search the hot bucket after migrating the folder which is included with hot, warm, cold?
Best regards,
Do rsync while splunk is running.
Do rsync again while splunk is running.
Stop splunk.
Do rsynch again.
Edit the inputs.conf to point to new location.
Start splunk.
Do rsync while splunk is running.
Do rsync again while splunk is running.
Stop splunk.
Do rsynch again.
Edit the inputs.conf to point to new location.
Start splunk.
I really understood about the hot and buckets.
I appreciate your following kind answer.
You are confused about hot and warm. A hot bucket is a warm bucket that is open for writing new data; a warm bucket is a hot bucket that has been closed and is no longer being used to write new data. They are the same physical thing in the same physical space. The only difference is whether Splunk is writing to it. Once closed, a hot/warm bucket will never be opened for writing again (it has become a warm bucket). So, by definition, stopping Splunk rolls all hot buckets to a warm state, but in the same physical space with the same name and directory structure. You are overthinking and over-complicating this.
I hope the doc of splunk will be added such a kind description.
If you submit this as feedback to the appropriate doc page, it will probably be added in some form.
If you only want to move 1 off "many" indexes , Don't edit splunk-launch.conf. You need to edit the location for that index in indexes.conf.
Yes stop splunk, move the index, edit the conf files, start splunk > you can search all your data as before
Hi teunlaan,
Thanks for your advice.
Is it not necessary to run the following command to migrate hot buckets when splunk stop
command:
splunk _internal call /data/indexes//roll-hot-buckets –auth :
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Backupindexeddata
Because I think it is not safe to migrate hot bucket.
When you stop splunk, all hot buckets close and roll to warm. You have to stop splunk to change the indexes.conf setting anyway. There is no need for such gymnastics.
Hi woodcock,
As my verification, there are hot bucket when stopping splunk.
And then after running splunk service, hot buckets migrated to warm bucket.
So I am confused about why hot bucket does not migrate to warm bucket when stopping splunk.
You are confused about hot and warm. A hot bucket is a warm bucket that is open for writing new data; a warm bucket is a hot bucket that has been closed and is no longer being used to write new data. They are the same physical thing in the same physical space. The only difference is whether Splunk is writing to it. Once closed, a hot/warm bucket will never be opened for writing again (it has become a warm bucket). So, by definition, stopping Splunk rolls all hot buckets to a warm state, but in the same physical space with the same name and directory structure. You are overthinking and over-complicating this.
HI just to clarify, you want to move all of your indexes to a new disk? or just one?. The doc you linked is for moving the whole SPLUNK_DB
Hi,
Thank you for your message.
I would like to migrate just one index to another drive.