Using Splunk Enterprise 6.5.3
I have recently downloaded Splunk Enterprise on an AWS linux instance and have mounted a fast volume and and a large storage volume. These are the following folders, with test1 as the index name:
The fast volume has a mountpoint of /data/hot and large storage as /data/cold.
I've added "SPLUNK_DB=/data" in the /etc/environment file and the /opt/splunk/etc/splunk-launch.conf file
I copied over the buckets from /opt/splunk/var/lib/splunk/defaultdb/ to these new folders:
sudo cp /opt/splunk/var/lib/splunk/defaultdb/db /data/hot/test1/
sudo cp /opt/splunk/var/lib/splunk/defaultdb/colddb /data/cold/test1/
sudo cp /opt/splunk/var/lib/splunk/defaultdb/thaweddb /data/cold/test1/
So now the following folders exist:
The problem is I've created a custom indexes.conf file in /opt/splunk/etc/local/indexes.conf and what I want it to do is at a certain size move the data from hot to warm and when it reaches a certain time, move to cold storage. I've gone through the documentation, edited this file a whole bunch of times (and restarted it after edits) and I still cannot figure out how I can move this data between buckets. I've also read in some places that you cannot move from warm to cold by time, which in that case, how would you do it by size?
I've tested by uploading a zip file to the Splunk service on :8000. This then creates a hot bucket on /data/hot/test1/db/hot_v1_0 After I restart the service, this then converts this hot bucket to a warm bucket (I'm assuming) on /data/hot/test1/db/db_mostrecenteventtime_latesteventtime). A prerequisite was also to create a new index on the web interface called test1 for Splunk to be able to store it there, where I've added the /data/hot etc and /data/cold etc directories.
As I'm new to Splunk I'm not 100% sure if that's how it can work, so if anyone can help on this issue/ explain Splunk to me, that would be greatly, greatly appreciated!
... View more