#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for a sample of colddb files/data to compare my colddb files with.

Log_wrangler
Builder
‎01-23-2018 09:09 AM

I am viewing my db and colddb locations.

looking in my ... /db I see the usual db_1234567890_0987654321_1234 files

but when I look in my .../colddb I see only rb_1234567890_0987654321_123_... - ...- ...-tmp.

The data I am using is from either a cluster or pool of indexers so I am assuming the rb is replication bucket?

What does data from db look like when it rolls to colddb (in general, just trying to understand the structure/syntax of normal)?

Will dbinspect show cold state info too?

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎01-23-2018 10:54 AM

The buckets/folder with name starting with rb_ are indeed replicated buckets. The hot and warm buckets will reside in .../db, directory. The hot bucket is writable and will have names like host_v1_<<someid>>. Once they are rolled to warm, it'll have name starting with db_<<latestepochtimestamp>>_<<earliestepochtimestamp>>_<<someid>> and are read-only. Once warm bucket roll to cold, it'll have the same name but will more to .../colddb directory.

The dbinspect command will have state field in the output.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎01-23-2018 10:54 AM

The buckets/folder with name starting with rb_ are indeed replicated buckets. The hot and warm buckets will reside in .../db, directory. The hot bucket is writable and will have names like host_v1_<<someid>>. Once they are rolled to warm, it'll have name starting with db_<<latestepochtimestamp>>_<<earliestepochtimestamp>>_<<someid>> and are read-only. Once warm bucket roll to cold, it'll have the same name but will more to .../colddb directory.

The dbinspect command will have state field in the output.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎01-23-2018 11:25 AM

Thank you for confirming.

So in general the file structure/syntax will remain the same rolling from warm to cold, and I should see the same file naming (e.g. db_1234567890_0987654321_1234) unless it is "replicated" then rb_ will precede the files...

Please correct me if I am misunderstanding.

Thank you

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎01-23-2018 10:19 AM

I would presume that hot/warm db data files and colddb data files would be the same but cold would be older?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...