Splunk Search

What are these db_* files in the index directory? Can these be safely moved somewhere else without restarting Splunk?

michael_lee
Path Finder

Hi,

In one of my index directories:

CreationTime
db_1428308275_1420532289_1
db_1432097800_1428308291_0
db_1432863053_1432097788_2
db_1433833137_1432863054_3
db_1434789933_1433833139_4
db_1435717564_1434789937_5
db_1435820396_1435717565_6
GlobalMetaData
hot_v1_7
hot_v1_8

What are all those db_* files? Are they warm data? Can these be moved safely to somewhere else without restarting Splunk? They are filling up my server space.

thanks

Tags (2)
0 Karma
1 Solution

MuS
Legend

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

View solution in original post

MuS
Legend

Hi michael_lee,

Yes, these are your warm buckets, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/HowSplunkstoresindexes#Bucket_naming_conve...

You should not move them while Splunk is running; stop Splunk, move them away and restart Splunk.
Be aware that moving warm buckets to a different location will result in those buckets no longer being searchable. Maybe you should also have a look at the indexes.conf option maxTotalDataSizeMB and frozenTimePeriodInSecs to set the maximum size and age of your index data http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Indexesconf

cheers, MuS

MuS
Legend

Just a small side note: looks like you can move them away without Splunk throwing errors, but still they are afterwards no longer searchable and I would not relay on that it is safe at all to do so in a production environment.

0 Karma

michael_lee
Path Finder

Hi thanks. In that case, if I wish to search for old data, i can just stop splunk, move back these archived warmed buckets, restart splunk and it will be searchable again, right? thanks

0 Karma

MuS
Legend

There is no need to do this manually, Splunk can to this for you 😉
In indexes.conf set the COLDDB path and also the warmToColdScript after that, Splunk will move the buckets ( after the frozenTimePeriodInSecs) from WARMDB to COLDDB and your data is still searchable.

michael_lee
Path Finder

thanks, i can do this. However my problem is disk space. Can I say that after I do the above steps, I can move the whole directory called "COLDDB" to elsewhere without stopping splunk? thanks

0 Karma

MuS
Legend

simply but the COLDDB on a different volume, disk, file system and Splunk will move it for you.

michael_lee
Path Finder

oh ok. like a SAN disk or something. Got it. Thanks.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...