Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to deal with my buckets when migrating the Splunk_DB of a index to another drive?

Shuhei052492
Path Finder
‎01-21-2019 11:02 PM

What is the best way to deal with my buckets when migrating the Splunk_DB of a index to another drive?

Hello, Splunk Professionals,

I am planning to change the path of my index(name is "abc") DB to another drive, because the amount of volums is going to be full.

My envirnment is All-in-on on Windows server and v7.x . And I see these doc to build a plan.
https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Moveanindex

But I am concerned the following thing.
Does anyone have an advice or knowledge related with them?
I really appreciate any comments.

  1. Is it enough to let splunkd be stop to prepare moving index DB? I am wondering whether it is necessarry for splunkd to be restart before being stop or not, because hot bucket must migrate to warm bucket before moving.

2.Is it possible to search the hot bucket after migrating the folder which is included with hot, warm, cold?

Best regards,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-22-2019 07:49 AM

Do rsync while splunk is running.
Do rsync again while splunk is running.
Stop splunk.
Do rsynch again.
Edit the inputs.conf to point to new location.
Start splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-22-2019 07:49 AM

Do rsync while splunk is running.
Do rsync again while splunk is running.
Stop splunk.
Do rsynch again.
Edit the inputs.conf to point to new location.
Start splunk.

0 Karma
Reply
Solved! Jump to solution

Shuhei052492
Path Finder
‎01-22-2019 09:40 PM

I really understood about the hot and buckets.
I appreciate your following kind answer.

You are confused about hot and warm. A hot bucket is a warm bucket that is open for writing new data; a warm bucket is a hot bucket that has been closed and is no longer being used to write new data. They are the same physical thing in the same physical space. The only difference is whether Splunk is writing to it. Once closed, a hot/warm bucket will never be opened for writing again (it has become a warm bucket). So, by definition, stopping Splunk rolls all hot buckets to a warm state, but in the same physical space with the same name and directory structure. You are overthinking and over-complicating this.

I hope the doc of splunk will be added such a kind description.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2019 05:51 AM

If you submit this as feedback to the appropriate doc page, it will probably be added in some form.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

teunlaan
Contributor
‎01-21-2019 11:25 PM

If you only want to move 1 off "many" indexes , Don't edit splunk-launch.conf. You need to edit the location for that index in indexes.conf.

Yes stop splunk, move the index, edit the conf files, start splunk > you can search all your data as before

0 Karma
Reply
Solved! Jump to solution

Shuhei052492
Path Finder
‎01-22-2019 06:00 PM

Hi teunlaan,

Thanks for your advice.
Is it not necessary to run the following command to migrate hot buckets when splunk stop
command:
splunk _internal call /data/indexes//roll-hot-buckets –auth :

https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Backupindexeddata

Because I think it is not safe to migrate hot bucket.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-22-2019 06:21 PM

When you stop splunk, all hot buckets close and roll to warm. You have to stop splunk to change the indexes.conf setting anyway. There is no need for such gymnastics.

0 Karma
Reply
Solved! Jump to solution

Shuhei052492
Path Finder
‎01-22-2019 06:35 PM

Hi woodcock,
As my verification, there are hot bucket when stopping splunk.
And then after running splunk service, hot buckets migrated to warm bucket.

So I am confused about why hot bucket does not migrate to warm bucket when stopping splunk.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-22-2019 06:49 PM

You are confused about hot and warm. A hot bucket is a warm bucket that is open for writing new data; a warm bucket is a hot bucket that has been closed and is no longer being used to write new data. They are the same physical thing in the same physical space. The only difference is whether Splunk is writing to it. Once closed, a hot/warm bucket will never be opened for writing again (it has become a warm bucket). So, by definition, stopping Splunk rolls all hot buckets to a warm state, but in the same physical space with the same name and directory structure. You are overthinking and over-complicating this.

Reply
Solved! Jump to solution

dkeck
Influencer
‎01-21-2019 11:20 PM

HI just to clarify, you want to move all of your indexes to a new disk? or just one?. The doc you linked is for moving the whole SPLUNK_DB

0 Karma
Reply
Solved! Jump to solution

Shuhei052492
Path Finder
‎01-22-2019 05:34 PM

Hi,
Thank you for your message.
I would like to migrate just one index to another drive.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...