Solved: What are these db_* files in the index directory? ...

michael_lee · ‎07-23-2015

Hi,

In one of my index directories:

CreationTime
db_1428308275_1420532289_1
db_1432097800_1428308291_0
db_1432863053_1432097788_2
db_1433833137_1432863054_3
db_1434789933_1433833139_4
db_1435717564_1434789937_5
db_1435820396_1435717565_6
GlobalMetaData
hot_v1_7
hot_v1_8

What are all those db_* files? Are they warm data? Can these be moved safely to somewhere else without restarting Splunk? They are filling up my server space.

thanks

MuS · ‎07-23-2015

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

View solution in original post

MuS · ‎07-23-2015

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

MuS · ‎07-23-2015

Just a small side note: looks like you can move them away without Splunk throwing errors, but still they are afterwards no longer searchable and I would not relay on that it is safe at all to do so in a production environment.

michael_lee · ‎07-23-2015

Hi thanks. In that case, if I wish to search for old data, i can just stop splunk, move back these archived warmed buckets, restart splunk and it will be searchable again, right? thanks

MuS · ‎07-23-2015

There is no need to do this manually, Splunk can to this for you 😉
In indexes.conf set the COLDDB path and also the warmToColdScript after that, Splunk will move the buckets ( after the frozenTimePeriodInSecs) from WARMDB to COLDDB and your data is still searchable.

michael_lee · ‎07-23-2015

thanks, i can do this. However my problem is disk space. Can I say that after I do the above steps, I can move the whole directory called "COLDDB" to elsewhere without stopping splunk? thanks

MuS · ‎07-23-2015

simply but the COLDDB on a different volume, disk, file system and Splunk will move it for you.

michael_lee · ‎07-23-2015

oh ok. like a SAN disk or something. Got it. Thanks.

What are these db_* files in the index directory? Can these be safely moved somewhere else without restarting Splunk?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024