Solved: Re: Who to split up $SPLUNK_DB and colddb

hartfoml · ‎07-25-2016

I have many indexes on my three indexers. I have attached NSF shares for the colddb. All the indexes are at $SPLUNK_DB/indexname/colddb.

If I stop splunk and copy all the cold buckets to a new share
rsync -Rv --archive */colddb/* /mnt/cs-1/splunk/
How can I pint splunk to the new location at startup?

lycollicott · ‎07-25-2016

Edit your indexes.conf file and change the cold setting for each index.

For example, change this"

coldPath   = $SPLUNK_DB\defaultdb\colddb

to this:

coldPath =\your_newpath\defaultdb\colddb

View solution in original post

lycollicott · ‎07-25-2016

Edit your indexes.conf file and change the cold setting for each index.

For example, change this"

coldPath   = $SPLUNK_DB\defaultdb\colddb

to this:

coldPath =\your_newpath\defaultdb\colddb

lycollicott · ‎07-25-2016

Let me clarify something for you ....

Stop splunk first
Do your rsync
Edit indexes.conf
Start splunk.

hartfoml · ‎07-26-2016

Part of what @lycollicott suggested solved my problem I created a new veritable in splunk-launch.conf then did a global search and replace in all the indexes.conf for the new veritable to the "colddb = $SPLUNK_COLDDB" This will have to be changed for every new index that is created in the future.

hartfoml · ‎07-26-2016

thanks but there are many indexes.conf to edit. I was looking for something that would change the default behavior. Perhaps something in the splunk-launch.conf where the defualt SPLUNK_DB is located?

Thanks for the response.

lycollicott · ‎07-26-2016

Now, wait a minute. Your post indicated that you wanted to move only colddb, right? Well, it you change the value of SPLUNK_DB (which is possible) then that affects your hot/warm buckets as well as cold.

If you want to relocate only your colddb buckets then you have to edit the indexes.conf file.

hartfoml · ‎07-26-2016

thanks that is the answer I was hoping not to get. I was hoping someone had a way to address where the cold buckets were without having to edit all the indexes.conf for all the the apps that have been installed along with all the data sources that have been added. looks like 86 different indexes to edit in about 14 different indexes.conf files and some are default so I will have to create some new indexes.conf. I was hoping for a better answer that the one you provided.

Thanks for your help 🙂

lycollicott · ‎07-26-2016

I have never tried this myself, but I wonder if you could create a new variable SPLUNK_COLDDB in splunk-launch.conf. Unfortunately you would still have to edit indexes.conf.

hartfoml · ‎07-26-2016

That is a great idea. I will try it.

Create Veritable called SPLUNK_COLDDB in splunk-launch.conf
Replace "coldPath = $SPLUNK_DB" with "coldPath = $SPLUNK_COLDDB" in 84 locations

Is there a way to change the default coldPath for newly created indexes

lycollicott · ‎07-26-2016

I just tried a new variable and it did work. LOL, give me some karma HaHa

ebwong · ‎11-17-2021

Is there another configuration file that I can set the $COLD_DB Variable in so that I can "override" the default configuration from an app?

lycollicott · ‎07-26-2016

I doubt it.

Who to split up $SPLUNK_DB and colddb

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation