#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for a sample of colddb files/data to compare my colddb files with.

Log_wrangler
Builder
‎01-23-2018 09:09 AM

I am viewing my db and colddb locations.

looking in my ... /db I see the usual db_1234567890_0987654321_1234 files

but when I look in my .../colddb I see only rb_1234567890_0987654321_123_... - ...- ...-tmp.

The data I am using is from either a cluster or pool of indexers so I am assuming the rb is replication bucket?

What does data from db look like when it rolls to colddb (in general, just trying to understand the structure/syntax of normal)?

Will dbinspect show cold state info too?

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-23-2018 10:54 AM

The buckets/folder with name starting with rb_ are indeed replicated buckets. The hot and warm buckets will reside in .../db, directory. The hot bucket is writable and will have names like host_v1_<<someid>>. Once they are rolled to warm, it'll have name starting with db_<<latestepochtimestamp>>_<<earliestepochtimestamp>>_<<someid>> and are read-only. Once warm bucket roll to cold, it'll have the same name but will more to .../colddb directory.

The dbinspect command will have state field in the output.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-23-2018 10:54 AM

The buckets/folder with name starting with rb_ are indeed replicated buckets. The hot and warm buckets will reside in .../db, directory. The hot bucket is writable and will have names like host_v1_<<someid>>. Once they are rolled to warm, it'll have name starting with db_<<latestepochtimestamp>>_<<earliestepochtimestamp>>_<<someid>> and are read-only. Once warm bucket roll to cold, it'll have the same name but will more to .../colddb directory.

The dbinspect command will have state field in the output.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎01-23-2018 11:25 AM

Thank you for confirming.

So in general the file structure/syntax will remain the same rolling from warm to cold, and I should see the same file naming (e.g. db_1234567890_0987654321_1234) unless it is "replicated" then rb_ will precede the files...

Please correct me if I am misunderstanding.

Thank you

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎01-23-2018 10:19 AM

I would presume that hot/warm db data files and colddb data files would be the same but cold would be older?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...