Splunk Search

What are these db_* files in the index directory? Can these be safely moved somewhere else without restarting Splunk?

michael_lee
Path Finder

Hi,

In one of my index directories:

CreationTime
db_1428308275_1420532289_1
db_1432097800_1428308291_0
db_1432863053_1432097788_2
db_1433833137_1432863054_3
db_1434789933_1433833139_4
db_1435717564_1434789937_5
db_1435820396_1435717565_6
GlobalMetaData
hot_v1_7
hot_v1_8

What are all those db_* files? Are they warm data? Can these be moved safely to somewhere else without restarting Splunk? They are filling up my server space.

thanks

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

MuS
SplunkTrust
SplunkTrust

Just a small side note: looks like you can move them away without Splunk throwing errors, but still they are afterwards no longer searchable and I would not relay on that it is safe at all to do so in a production environment.

0 Karma

michael_lee
Path Finder

Hi thanks. In that case, if I wish to search for old data, i can just stop splunk, move back these archived warmed buckets, restart splunk and it will be searchable again, right? thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

There is no need to do this manually, Splunk can to this for you 😉
In indexes.conf set the COLDDB path and also the warmToColdScript after that, Splunk will move the buckets ( after the frozenTimePeriodInSecs) from WARMDB to COLDDB and your data is still searchable.

michael_lee
Path Finder

thanks, i can do this. However my problem is disk space. Can I say that after I do the above steps, I can move the whole directory called "COLDDB" to elsewhere without stopping splunk? thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

simply but the COLDDB on a different volume, disk, file system and Splunk will move it for you.

michael_lee
Path Finder

oh ok. like a SAN disk or something. Got it. Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...