Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splitting /splunk/frozen volume

splunkdeploy
New Member
‎03-23-2015 05:42 AM

Hi,

In my environment we have so many index servers Eg:8 idx servers.
All servers are mounted with one nfs volume called /splunk which has 11TB.
/splunk mount point contain hot ,cold, warm and frozen.

No as we have some space issue, we need to separate frozen from the /splunk volume.
We have got one new nfs volume with 10TB for /splunk/frozen.
Now the query is if I need to separate the frozen from the old volume, i can mount it separately and copy old data.But do i need to make any changes in any of the splunk configuration?

Please suggest here.

Regards,
Unni TN

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎03-23-2015 01:12 PM

You can use the coldtofrozendir setup, in indexes.conf

To avoid duplicates buckets, I recommend to create a new destination frozen folder for each pair or indexer/index.
It will also make it easier to restore.
(do not dump all in the same folder, it will be a nightmare)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-23-2015 11:54 AM

So wait, what?

  1. You have 8 servers mounted to a SINGLE 11TB NFS Mount?
  2. What are the server specs of the indexers?
  3. How are you transitioning from cold to frozen? Homebrew script? Shuttl?
0 Karma
Reply

splunkdeploy
New Member
‎03-24-2015 05:06 AM

Hi,

1.You have 8 servers mounted to a SINGLE 11TB NFS Mount?
yes, I have 8 diff. servers mounted to 11TB. 11TB mount name in /splunk and it has hot , cold and frozen.
Inside /splunk/frozen i have diff. 8 server name.

2.What are the server specs of the indexers?
All 8 servers have, 8 CPU and 16GB Memory.

  1. How are you transitioning from cold to frozen? Homebrew script? Shuttl? When i have checked indexes.conf file i could see frozen transition has designed as

coldToFrozenDir = /splunk/frozen/$HOSTNAME

Regards,
Unni TN

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎03-24-2015 09:01 AM

use a folder per index and indexer.
coldToFrozenDir = /splunk/frozen/servername/indexname

0 Karma
Reply

somesoni2
Revered Legend
‎03-23-2015 12:27 PM

FYR, Answer for 3 can be found by checking the value of attribute "coldToFrozenDir" OR "coldToFrozenScript" from indexes.conf file on Indexer server.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...