Getting Data In

splitting /splunk/frozen volume

splunkdeploy
New Member

Hi,

In my environment we have so many index servers Eg:8 idx servers.
All servers are mounted with one nfs volume called /splunk which has 11TB.
/splunk mount point contain hot ,cold, warm and frozen.

No as we have some space issue, we need to separate frozen from the /splunk volume.
We have got one new nfs volume with 10TB for /splunk/frozen.
Now the query is if I need to separate the frozen from the old volume, i can mount it separately and copy old data.But do i need to make any changes in any of the splunk configuration?

Please suggest here.

Regards,
Unni TN

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

You can use the coldtofrozendir setup, in indexes.conf

To avoid duplicates buckets, I recommend to create a new destination frozen folder for each pair or indexer/index.
It will also make it easier to restore.
(do not dump all in the same folder, it will be a nightmare)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

So wait, what?

  1. You have 8 servers mounted to a SINGLE 11TB NFS Mount?
  2. What are the server specs of the indexers?
  3. How are you transitioning from cold to frozen? Homebrew script? Shuttl?
0 Karma

splunkdeploy
New Member

Hi,

1.You have 8 servers mounted to a SINGLE 11TB NFS Mount?
yes, I have 8 diff. servers mounted to 11TB. 11TB mount name in /splunk and it has hot , cold and frozen.
Inside /splunk/frozen i have diff. 8 server name.

2.What are the server specs of the indexers?
All 8 servers have, 8 CPU and 16GB Memory.

  1. How are you transitioning from cold to frozen? Homebrew script? Shuttl? When i have checked indexes.conf file i could see frozen transition has designed as

coldToFrozenDir = /splunk/frozen/$HOSTNAME

Regards,
Unni TN

0 Karma

yannK
Splunk Employee
Splunk Employee

use a folder per index and indexer.
coldToFrozenDir = /splunk/frozen/servername/indexname

0 Karma

somesoni2
Revered Legend

FYR, Answer for 3 can be found by checking the value of attribute "coldToFrozenDir" OR "coldToFrozenScript" from indexes.conf file on Indexer server.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...