I'm trying to set up some new indexes, and then best-practices way, and I'm a little confused on how to accomplish what I want.
I used to just make an index, define the maxTotalDataSizeMB (for the entire index) and move on. I never really cared much before. But now, I'm understanding that may not have been the best scenario. I don't know that I ever truly controlled how much data was in the hot/warm bucket vs cold (unsearchable). So how would I better do this now? Running v7.2.4 Splunk Enterprise now.
I want a 5GB searchable index (so hot/warm), but another 10GB set aside for cold which will be on another mount (spinning disc) and no frozen at all. Do I still have to define a thaweddb too? I was hoping to review my "original" vs "new" methods.
Am I missing anything??
[original_method]
homePath = $SPLUNK_DB/$_index_name/db
coldPath = $SPLUNK_DB/$_index_name/colddb
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
maxTotalDataSizeMB = 15000
repFactor = auto
[new]
homePath = /opt/utils/splunk/new/db
homePath.maxDataSizeMB = 5000
coldPath = /opt/slowdisc/splunk/new/colddb
coldPath.maxDataSizeMB = 10000
thawedPath = /opt/utils/splunk/new/thaweddb
repFactor = auto
... View more