Monitoring Splunk

Moving to new hard drive space

larryrosen
Explorer

So I've seen many posts that seem to cover parts of this but here's what I'm looking for:

have a single instance of Splunk running on a physical server with 1TB of HD. Don't have enough space to hold the required amout of data so out network team has added me to the SAN and given me 2 TB. So now I have a 😧 drive where Splunk is installed and also the Data, and an E: Drive that is empty.

What is the best way to distribute this space so I can maximize the historical searching I can do as well as get best performance?

I'm a little fuzzy on the hot/warm/cold buckets concept as I only currently have 1 area defined to put everything...

Thanks!

larryrosen
Explorer

Found enough detail in the manual to do the move myself. It involves shutting down Splunk, moving the files, editing the configuration prior to restarting splunk to look for the data in the new location....

99% complete as there are still a few files (not huge database) that are being updated in old path but I can live with that. the core database files are now collecting on the new drive.

0 Karma

jcrane
Explorer

Did you complete this? I have to do something similar now and am curious about how this went and what you chose to do.

0 Karma

piebob
Splunk Employee
Splunk Employee

this documentation topic explains how indexes/buckets work overall, it might be helpful in making your decision:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes

this topic is about performance of search vs indexing:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Distributeindexingandsearching

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...