Splunk Enterprise

Moving a cold database to different drive.

brentsinawski
Explorer

Hi All,

In my environment we have 6 indexers and one searchead which all are running server 2012.  We are running out of space on the physical indexers which are limited by physical drives. I have a san connection to all of the indexers.

How would i move just the coldDBs to a separate drive? Leaving warm to stay on the original drives?

eg.  I have [Linux]
homePath = volume:hot\Linux\db
coldPath = volume:cold\Linux\colddb
thawedPath = $SPLUNK_DB\Linux\thaweddb
tstatsHomePath = volume:tstatsHomePath\Linux\datamodel_summary
maxTotalDataSizeMB = 7500000
frozenTimePeriodInSecs = 31536000

 

I would like coldPath = F:\Linux\Colddb and move the current coldDBs over to the new drive and be searchable.  How would I accomp

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Here's the process I would use.

  1. Change the volume definition in indexes.conf to point to the new colddb location.  Do NOT restart the indexers.
  2. COPY the cold buckets to the new location.
  3. Restart the indexers so they use the new indexer.conf settings.
  4. Delete the old cold buckets.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

brentsinawski
Explorer

Thanks!  

I have a deployment server.  Should I change index.conf to point to the new location prior to copying all of the data to the new location?  Or should i copy the data first then change index.conf? 

 

Thanks again!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The deployment server is not involved in this.

You can changes indexes.conf before or after copying the data.  The important part is to not restart the indexers with the new configuration until the cold data is in place.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's the process I would use.

  1. Change the volume definition in indexes.conf to point to the new colddb location.  Do NOT restart the indexers.
  2. COPY the cold buckets to the new location.
  3. Restart the indexers so they use the new indexer.conf settings.
  4. Delete the old cold buckets.
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...