Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to mount HOT to a ram disk for performance?

daniel333
Builder
‎09-06-2017 10:18 AM

All,

Just day dreaming here a little as I read the indexes.conf file documentation a bit. I was thinking, assuming you're willing to risk the data loss wouldn't it make sense to house your Hot buckets to a RAM disk, then roll from HOT to warm to actual disk?

Crazy?

https://www.jamescoyle.net/how-to/943-create-a-ram-disk-in-linux

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-06-2017 10:25 AM

HOT and WARM are on the same filesystem; you cannot separate that. The only real difference between HOT and WARM buckets is that HOT buckets are open for R/W whereas WARM buckets are read-only.
Splunk really doesn't care how you implement the HOT/WARM storage as long as it is exposed as a supported filesystem.
You will very definitely want to very carefully assess your failure scenarios with RAM disk.

Reply

jkat54
SplunkTrust
SplunkTrust
‎09-06-2017 11:07 AM

I concur with the above.

Also consider the limitation of maybe at most 512gb available...

Would be great for a very specific use case though!

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-06-2017 11:54 AM

An unscheduled reboot will loose all the data from a RAMdisk. and since some hot buckets stay around a long time, you would loose all that data. You'd also loose the warm buckets, too, since they have to reside on the same FS.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-06-2017 11:58 AM

True.

You will very definitely want to very carefully assess your failure scenarios with RAM disk.

In other words: Don't do this without Splunk index replication. Spread your indexers across multiple racks/switches/PDUs/etc.
Even after doing anything you can think of, accept the remaining risk of losing data due to catastrophic failures.

Reply

gjanders
SplunkTrust
SplunkTrust
‎09-08-2017 12:08 AM

Also consider what will happen when a server requires a reboot for maintenance purposes.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...