Getting Data In

How can I manually move buckets from WARM to COLD

cpenkert
Path Finder

We recently made several indexes.conf file changes, notably changing our bucket size from 5GB to 1GB. Along with this, we changed our MaxHotBuckets and MaxWarmDBCount to align with our new bucket size of 1GB.

As we still have many of our 5GB buckets in our WARM location, we are not reaching our max for WARM buckets, before hitting our MaxTotalDataSizeinMB.

Result = COLD data freezing sooner than we'd like and our HOT/WARM data location filling up.

What is the process for moving WARM buckets to COLD manually?

Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

All you need to do is stop Splunk, then move the buckets from the hot directory to the cold one, the start Splunk. Generally, you move the lowest numbered ones first, but really, you move the ones with the oldest most recent data first.

BunnyHop
Contributor

BunnyHop
Contributor

As of right now, and AFAIK, the only manual process you can do to roll buckets is the CLI from Hot to Warm.

0 Karma

cpenkert
Path Finder

I was looking for a way to manually do this, rather than manipulate how splunk automatically does it. I ended up going the route suggested in this article and above as I was running into disk full issues.

0 Karma

yannK
Splunk Employee
Splunk Employee

You can play with the parameter in $SPLUNK_HOME/etc/system/local/indexes.conf

[default] maxWarmDBCount = xxx

yannK
Splunk Employee
Splunk Employee
0 Karma

cpenkert
Path Finder

I should also note that I don't want to move ALL WARM db's to cold, just select ones.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...