Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does putting indexer into manual detention roll active hot buckets?

kozanic_mg
Explorer
‎07-22-2020 05:27 PM

Hi All,

We are trying to work out the best method for rolling our Indexer stack in AWS.

We have recently migrated to Smartstore and 1 week after migration had a number of indexers autoheal which resulted in corrupted buckets all over the place.

Our current thought is to put indexers into manual detention mode prior to the stack roll, but not sure if this forces a bucket roll and replication to S3 or if there is another step required to force this action.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2020 06:31 AM
Buckets are not rolled by putting an indexer into manual detention.
It sounds like auto healing is not a good idea for indexers.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2020 06:31 AM
Buckets are not rolled by putting an indexer into manual detention.
It sounds like auto healing is not a good idea for indexers.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

kozanic_mg
Explorer
‎07-23-2020 03:29 PM

Thanks Rich - exactly the answer I was after.

Agreed on the autoheal, unfortunately for our situation we don't have any choice so will need to look into how best we can manage the process.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-23-2020 02:27 PM

Hi

here is describing how to roll hot buckets of index X to warm: https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Backupindexeddata#Rolling_buckets_manuall...

r. Ismo

Reply
Solved! Jump to solution

kozanic_mg
Explorer
‎07-23-2020 03:32 PM

thanks @isoutamo ,

Do you know whether we can use a wildcard option with is command?

IE: 

splunk _internal call /data/indexes/*/roll-hot-buckets

I have been advised that this should work, but we are currently having issues with our non prod environment and so haven't been able to test to confirm. 

0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top