Re: Does maxVolumeDataSizeMB apply to all indexes ...

southeringtonp · ‎03-21-2011

Is Splunk smart enough to recognize that main and others are included under the primary volume even when main's path doesn't reference the volume name?

In other words, is it necessary to re-define the values of homePath and coldPath for each index, or will it automatically freeze buckets from all indexes on the partition when the value of maxVolumeDataSizeMB is crossed?

In the example below, it seems like buckets in main should start to be frozen after the total usage crossed ~3 TB, but it isn't completely clear based on the documentation here and here.

# $SPLUNK_DB = /mnt/internal
[main]
homePath   = $SPLUNK_DB/defaultdb/db
coldPath   = $SPLUNK_DB/defaultdb/colddb

# Initial indexing location
[volume:primary]
path = /mnt/internal
maxVolumeDataSizeMB = 3000000

[index2]
homePath   = primary:/defaultdb/db
coldPath   = primary:/defaultdb/colddb

sowings · ‎06-25-2013

My experience with volumes is that if you specify a volume path, and you have indexes that lie under the same path (but don't use the volume:<name> tag, Splunk will complain on startup. I believe that the complaint is words to the effect of "this index is under a volume, but not part of it, volume retention rules won't work."

As a best practice, I've always been in the habit of re-defining the homePath and coldPath of each index.

Does maxVolumeDataSizeMB apply to all indexes in the volume's path?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases