Solved: Re: What are these db_* files in the index directo...

michael_lee · ‎07-23-2015

Hi,

In one of my index directories:

CreationTime
db_1428308275_1420532289_1
db_1432097800_1428308291_0
db_1432863053_1432097788_2
db_1433833137_1432863054_3
db_1434789933_1433833139_4
db_1435717564_1434789937_5
db_1435820396_1435717565_6
GlobalMetaData
hot_v1_7
hot_v1_8

What are all those db_* files? Are they warm data? Can these be moved safely to somewhere else without restarting Splunk? They are filling up my server space.

thanks

MuS · ‎07-23-2015

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

View solution in original post

MuS · ‎07-23-2015

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

MuS · ‎07-23-2015

Just a small side note: looks like you can move them away without Splunk throwing errors, but still they are afterwards no longer searchable and I would not relay on that it is safe at all to do so in a production environment.

michael_lee · ‎07-23-2015

Hi thanks. In that case, if I wish to search for old data, i can just stop splunk, move back these archived warmed buckets, restart splunk and it will be searchable again, right? thanks

MuS · ‎07-23-2015

There is no need to do this manually, Splunk can to this for you 😉
In indexes.conf set the COLDDB path and also the warmToColdScript after that, Splunk will move the buckets ( after the frozenTimePeriodInSecs) from WARMDB to COLDDB and your data is still searchable.

michael_lee · ‎07-23-2015

thanks, i can do this. However my problem is disk space. Can I say that after I do the above steps, I can move the whole directory called "COLDDB" to elsewhere without stopping splunk? thanks

MuS · ‎07-23-2015

simply but the COLDDB on a different volume, disk, file system and Splunk will move it for you.

michael_lee · ‎07-23-2015

oh ok. like a SAN disk or something. Got it. Thanks.

What are these db_* files in the index directory? Can these be safely moved somewhere else without restarting Splunk?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor