Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to migrate back the data stored in Smartstore to persistent disk

manikanta461
Explorer
‎01-22-2024 05:45 AM

Hello All,

Recently we have migrated all our indexes to Splunk Smartstore with our remote storage being Azure blob.
After that we noticed several problems with our environment.

  • Buckets being stuck in fixup state more often.
  • Indexing queues being full (No major spike in data indexation).
  • Huge increase in number of buckets.

And the list goes on.

We are considering to revert back to the persistent disk for data storage, however, looking at the Splunk documentation, it is not possible to revert back an index configured with Splunk Smartstore perisitent disk. But, I'm looking at a way, if it would be still possible to do it, because of the above issues, the search performance is abysmal.

We have around 6 indexers and each indexer has around 800k buckets and the current data on remote storage (Smartstore) is 50 TB.

 

Are there any ways to migrate back to persistent disk? Looking forward to any gray methods to try out as well.

 

Thanks

Tags (2)
Reply

AkshayRayapudi
Observer
‎04-16-2024 05:19 AM

Hi @manikanta461 , We've migrated one of our high volume index to smart store and facing the exact same issues as you've described in your post. Could you please tell me how you resolved this issue? And, if you've performed a roll-back, what steps should be taken to minimize data loss/impact?

0 Karma
Reply

linhmai_bne
Path Finder
‎01-22-2024 08:17 PM

I agreed that we should have option to move data from SmartStore back to local storage.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-22-2024 07:14 AM

The documentation is correct.  Once you go to SmartStore you can't go back; anything else would be a Science Experiment.

Switching to SmartStore (S2) should not have caused the problems you listed. Search performance can be affected if the S2 cache is too small or users have a tendency to search over more than 30 days.

Is SmartStore in the same environment as your indexers?  Using a cloud S2 with on-prem indexers is likely cause problems and be expensive.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manikanta461
Explorer
‎01-22-2024 07:17 AM

Thanks for the answer, at least the indexers are in the same environment as the smartstore and not on-prem.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-25-2024 03:20 AM

Hi

Your best (and probably only) option is to connect your splunk account manager and ask PS support for this case. At least they could do an analyse about your environment and check is is what it required. They also could create a plan how this situation could fixed asap.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...