#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

Looking for a sample of colddb files/data to compare my colddb files with.

Log_wrangler
Builder

I am viewing my db and colddb locations.

looking in my ... /db I see the usual db_1234567890_0987654321_1234 files

but when I look in my .../colddb I see only rb_1234567890_0987654321_123_... - ...- ...-tmp.

The data I am using is from either a cluster or pool of indexers so I am assuming the rb is replication bucket?

What does data from db look like when it rolls to colddb (in general, just trying to understand the structure/syntax of normal)?

Will dbinspect show cold state info too?

Thank you

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The buckets/folder with name starting with rb_ are indeed replicated buckets. The hot and warm buckets will reside in .../db, directory. The hot bucket is writable and will have names like host_v1_<<someid>>. Once they are rolled to warm, it'll have name starting with db_<<latestepochtimestamp>>_<<earliestepochtimestamp>>_<<someid>> and are read-only. Once warm bucket roll to cold, it'll have the same name but will more to .../colddb directory.

The dbinspect command will have state field in the output.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The buckets/folder with name starting with rb_ are indeed replicated buckets. The hot and warm buckets will reside in .../db, directory. The hot bucket is writable and will have names like host_v1_<<someid>>. Once they are rolled to warm, it'll have name starting with db_<<latestepochtimestamp>>_<<earliestepochtimestamp>>_<<someid>> and are read-only. Once warm bucket roll to cold, it'll have the same name but will more to .../colddb directory.

The dbinspect command will have state field in the output.

0 Karma

Log_wrangler
Builder

Thank you for confirming.

So in general the file structure/syntax will remain the same rolling from warm to cold, and I should see the same file naming (e.g. db_1234567890_0987654321_1234) unless it is "replicated" then rb_ will precede the files...

Please correct me if I am misunderstanding.

Thank you

0 Karma

Log_wrangler
Builder

I would presume that hot/warm db data files and colddb data files would be the same but cold would be older?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...