$SPLUNK_DB for one of our Splunk Search Servers filled up recently. The root cause was apparently due to significant recent increases in the _audit index on this server due to recent increases in search activity. We have dedicated Indexers as well, but apparently indexing for the _audit and _internal indexes (and possibly other internal indexes) still occurs on the Search Servers. We had been getting by with the default indexes.conf file (/opt/splunk/etc/system/default/indexes.conf) on the Search Server, but apparently that will no longer be possible.
We recently changed the indexes.conf files on our Indexers to use the volume based parameters ([volume:home], [volume:cold], etc.). That has worked well for the Indexers, where the hot/warm volume is a distinct volume and file system from the cold volume. For our Search servers, however, we just have all hot/warm and cold buckets in $SPLUNK_DB (/opt/splunk/var/lib/splunk). That being said, I would still like to use the volume based parameters in a new (non-default) indexes.conf file for the Search Servers, since I think it provides the best "set-it-and-forget-it" control, letting Splunk manage the size of all indexes based upon the volume size. Finally, to my question...
What's not clear to me is how to specify the parameters in [volume:home] and [volume:cold] stanzas in this scenario. Specifically, do I specify exactly the same maxVolumeDataSizeMB parameter value for each stanza? For example, if the size of the $SPLUNK_DB volume is 14 GB (14336 MB), is this how I would specify these parameters, or is this saying that I have 14 GB of hot/warm storage, and another 14 GB of cold storage?
[volume:home]
path = $SPLUNK_DB
maxVolumeDataSizeMB = 14336
[volume:cold]
path = $SPLUNK_DB
maxVolumeDataSizeMB = 14336
[_audit]
coldPath = volume:cold/audit/colddb
homePath = volume:home/audit/db
thawedPath = $SPLUNK_DB/audit/thaweddb
[_internal]
coldPath = volume:cold/_internaldb/colddb
homePath = volume:home/_internaldb/db
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
This article suggests that it's possible to use volume based parameters with a single volume for hot/warm and cold buckets:
When a volume containing warm buckets reaches its maxVolumeDataSizeMB, it starts rolling buckets to cold. When a volume containing cold buckets reaches its maxVolumeDataSizeMB, it starts rolling buckets to frozen. If a volume contains both warm and cold buckets (which will happen if an index's homePath and coldPath are both set to the same volume), the oldest bucket will be rolled to frozen.
But the article does not include an example of how to specify these parameters in this scenario. It's also not clear to me from the indexes.conf documentation.
I should add that 14 GB for $SPLUNK_DB (/opt/splunk/var/lib/splunk) is an approximation. The size of $SPLUNK_HOME (/opt/splunk) is actually 19.6 GB. I just want to say 14 GB is available for $SPLUNK_DB to account for the other stuff under /opt/splunk (e.g., the Splunk installation, configuration files, and some overhead for the minimum free space that Splunk requires in order to work). I wish it was possible to provide tighter control over the index space in this situation, but I don't think that is possible without putting $SPLUNK_DB in a separate dedicated file system by itself.
... View more