Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splitting /splunk/frozen volume

splunkdeploy
New Member
‎03-23-2015 05:42 AM

Hi,

In my environment we have so many index servers Eg:8 idx servers.
All servers are mounted with one nfs volume called /splunk which has 11TB.
/splunk mount point contain hot ,cold, warm and frozen.

No as we have some space issue, we need to separate frozen from the /splunk volume.
We have got one new nfs volume with 10TB for /splunk/frozen.
Now the query is if I need to separate the frozen from the old volume, i can mount it separately and copy old data.But do i need to make any changes in any of the splunk configuration?

Please suggest here.

Regards,
Unni TN

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎03-23-2015 01:12 PM

You can use the coldtofrozendir setup, in indexes.conf

To avoid duplicates buckets, I recommend to create a new destination frozen folder for each pair or indexer/index.
It will also make it easier to restore.
(do not dump all in the same folder, it will be a nightmare)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-23-2015 11:54 AM

So wait, what?

  1. You have 8 servers mounted to a SINGLE 11TB NFS Mount?
  2. What are the server specs of the indexers?
  3. How are you transitioning from cold to frozen? Homebrew script? Shuttl?
0 Karma
Reply

splunkdeploy
New Member
‎03-24-2015 05:06 AM

Hi,

1.You have 8 servers mounted to a SINGLE 11TB NFS Mount?
yes, I have 8 diff. servers mounted to 11TB. 11TB mount name in /splunk and it has hot , cold and frozen.
Inside /splunk/frozen i have diff. 8 server name.

2.What are the server specs of the indexers?
All 8 servers have, 8 CPU and 16GB Memory.

  1. How are you transitioning from cold to frozen? Homebrew script? Shuttl? When i have checked indexes.conf file i could see frozen transition has designed as

coldToFrozenDir = /splunk/frozen/$HOSTNAME

Regards,
Unni TN

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎03-24-2015 09:01 AM

use a folder per index and indexer.
coldToFrozenDir = /splunk/frozen/servername/indexname

0 Karma
Reply

somesoni2
Revered Legend
‎03-23-2015 12:27 PM

FYR, Answer for 3 can be found by checking the value of attribute "coldToFrozenDir" OR "coldToFrozenScript" from indexes.conf file on Indexer server.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...