Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to determine what exactly is happening with rolling data to cold storage

jamesdon
Path Finder
‎12-06-2011 11:56 AM

Hello,

We recently experienced a problem where our storage for cold data went offline. We are interested in determining exactly what happened to the data at that time, as well as when running a splunk fsdsk.

Is there a search prebuilt for this? Which file in /opt/splunk/var/log/splunk/ would have this info?

Thank you,

Jim

Tags (1)
0 Karma
Reply

jamesdon
Path Finder
‎12-18-2011 08:00 AM

OK, it took us a bit to figure this one out, but the results may help someone out in the future. It ends out that we stopped rolling data over to cold after making changes to indexes.conf a while back. Lessons learned:

First, the logs are in /opt/splunk/var/log/splunk/splunkd.log.

Second, do not put trailing comments in your config files, it will cause confusion and delay. Something like:

[stan]
config = this # Don't put a comment here, its trouble

Jim

0 Karma
Reply

twkan
Splunk Employee
Splunk Employee
‎12-07-2011 07:16 AM

This sounds like a nasty issue to have, and may be similar to what I have encountered recently. Did your data somehow rolled over nto the frozen stage, and you do not have a coldToFrozen script defined?

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎12-06-2011 01:59 PM

There isn't a prebuilt search for this, and I am not exactly sure what you mean by your cold data went offline. I assume its remote storage of some sort, such as nfs? I would review splunkd.log for errors about the buckets. I would imagine you'd see a lot of inflight buckets in warm that never made it to cold.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...