Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Move defaultdb to another indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Move defaultdb to another indexer
I want to move my defaultdb from one indexer to another. The data will be put in an index called "OLD" on the new indexer and it's really for the purpose of looking up past events indexed. The indexer where the defaultdb lives right now will be going away.
How can i roll the default db and copy it to a new indexer? Also I don't see the default db listed under "Indexes" when I login to splunk and look for it.
Isn't the defaultdb where most of your data goes unless you specify otherwise? I'm a bit confused here...
My defaultdb has 88g. My _internal db has 3.2g....
I tried this command and after putting in my userid and password a bunch of code just flew by on the screen:
./splunk _internal call /data/indexes/defaultdb/roll-hot-buckets
Here's an example of the code for summary index:
<entry>
<title>summary</title>
<id>https://127.0.0.1:8089/servicesNS/nobody/system/data/indexes/summary</id>
<updated>2012-06-15T20:32:31+00:00</updated>
<link href="/servicesNS/nobody/system/data/indexes/summary" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/indexes/summary" rel="list"/>
<link href="/servicesNS/nobody/system/data/indexes/summary/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/indexes/summary" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="blockSignSize">0</s:key>
<s:key name="blockSignatureDatabase">_blocksignature</s:key>
<s:key name="coldPath">$SPLUNK_DB/summarydb/colddb</s:key>
<s:key name="coldPath_expanded">/opt/splunk/var/lib/splunk/summarydb/colddb</s:key>
<s:key name="coldToFrozenDir"/>
<s:key name="coldToFrozenScript"/>
<s:key name="compressRawdata">1</s:key>
<s:key name="currentDBSizeMB">1</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>noc</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="enableOnlineBucketRepair">1</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath">$SPLUNK_DB/summarydb/db</s:key>
<s:key name="homePath_expanded">/opt/splunk/var/lib/splunk/summarydb/db</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="isInternal">0</s:key>
<s:key name="lastInitTime">1339792351.566061</s:key>
<s:key name="maxBloomBackfillBucketAge">30d</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">3</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxRunningProcessGroups">20</s:key>
<s:key name="maxRunningProcessGroupsLowPriority">1</s:key>
<s:key name="maxTime"/>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minTime"/>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="suppressBannerList"/>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="thawedPath">$SPLUNK_DB/summarydb/thaweddb</s:key>
<s:key name="thawedPath_expanded">/opt/splunk/var/lib/splunk/summarydb/thaweddb</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="totalEventCount">0</s:key>
</s:dict>
</content>
is this normal? I looked at my defaultdb directory and I still have 2 hot buckets that weren't rolled. I also looked at the code output from running this command and didn't see anything for defaultdb in there at all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ran this: ./splunk _internal call /data/indexes/main/roll-hot-buckets
Stopped Splunk. Looked at defaultdb buckets and it rolled them. I am not sure why it did not work when specifying just defaultdb. ? Nevermind guys...I would say that the command should give you some indication that buckets were rolled. Just having a script fly by me isn't very reassuring...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
