Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Better Hot-To-Warm Roll Methods?

tgiles
Path Finder
‎01-18-2011 04:15 PM

Hi,

I'm trying to pin down a method to quickly export an index from a Splunk indexer that I can copy off to another Splunk instance on a different system.

From what I have seen thus far, that would entail me performing a roll-to-warm, stop Splunk on indexer, copy the db files, and start up Splunk on the indexer once again. Wondering if there is a better method.

  • splunk _internal call /data/indexes/$indexName/roll-hot-buckets (this will roll the hot bucket to warm for backup)
  • splunk stop splunkd (will stop splunk, to keep the index from getting written to)
  • ...copy / zip files as needed here...
  • splunk start splunkd (restarts splunk again, enabling indexing for the target index we're working on)

Thanks for any input!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎01-18-2011 09:58 PM

You may find some information from this question helpful:

http://answers.splunk.com/questions/3078/copy-an-index-on-the-same-splunk-instance

Assuming your not on Windows, you can copy your data while splunkd is running, but your results may not be fully consistent. So some kind of files system or block-level snapshotting is ideal here to get a more consistent result. (For example, using a LVM snapshot). In this case you shouldn't need to bring splunkd down at all, or roll your buckets from hot to warm. Of course, it all depends on what kind of event loss tolerance you can handle. And if you're looking to do a one-time copy of a bucket, or use something like rsync on a ongoing basis (see the above link.)

Stopping and restarting splunkd is certainly going to interrupt any running searches and put a temporary delay on any indexing. And if your actually bringing down splunkd then even your "hot" buckets will be consistent while the splunkd is not running. Also keep in mind that forcing a bucket roll, will NOT guarantee that all of your buckets are WARM, because splunk will immediately create new hot buckets for any events that are received between the time your script forceably rolls your buckets and the time splunkd is shut down.

Again, the more details you can provide the more helpful the people here can be.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎01-18-2011 09:58 PM

You may find some information from this question helpful:

http://answers.splunk.com/questions/3078/copy-an-index-on-the-same-splunk-instance

Assuming your not on Windows, you can copy your data while splunkd is running, but your results may not be fully consistent. So some kind of files system or block-level snapshotting is ideal here to get a more consistent result. (For example, using a LVM snapshot). In this case you shouldn't need to bring splunkd down at all, or roll your buckets from hot to warm. Of course, it all depends on what kind of event loss tolerance you can handle. And if you're looking to do a one-time copy of a bucket, or use something like rsync on a ongoing basis (see the above link.)

Stopping and restarting splunkd is certainly going to interrupt any running searches and put a temporary delay on any indexing. And if your actually bringing down splunkd then even your "hot" buckets will be consistent while the splunkd is not running. Also keep in mind that forcing a bucket roll, will NOT guarantee that all of your buckets are WARM, because splunk will immediately create new hot buckets for any events that are received between the time your script forceably rolls your buckets and the time splunkd is shut down.

Again, the more details you can provide the more helpful the people here can be.

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎03-08-2013 10:30 AM

@Lowell: thank you, this was very helpful, I'm researching something similar.

0 Karma
Reply
Solved! Jump to solution

tgiles
Path Finder
‎01-18-2011 10:23 PM

Thanks for your input, Lowell. I'm still doing a lost of investigation with a test setup, so a number of items on my end are still in flux.

You gave me a solid alternative method that I will perform some testing with. Thanks for your time!

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎01-18-2011 04:24 PM

Can you provide a high-level overview of what you are trying to accomplish? Also if you can provide some reason(s) why you can't simply use splunk event forwarding which traditionally the suggested way of distributing events across splunk instances.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...