Is Splunk smart enough to recognize that main
and others are included under the primary
volume even when main
's path doesn't reference the volume name?
In other words, is it necessary to re-define the values of homePath
and coldPath
for each index, or will it automatically freeze buckets from all indexes on the partition when the value of maxVolumeDataSizeMB
is crossed?
In the example below, it seems like buckets in main
should start to be frozen after the total usage crossed ~3 TB, but it isn't completely clear based on the documentation here and here.
# $SPLUNK_DB = /mnt/internal
[main]
homePath = $SPLUNK_DB/defaultdb/db
coldPath = $SPLUNK_DB/defaultdb/colddb
# Initial indexing location
[volume:primary]
path = /mnt/internal
maxVolumeDataSizeMB = 3000000
[index2]
homePath = primary:/defaultdb/db
coldPath = primary:/defaultdb/colddb
My experience with volumes is that if you specify a volume path, and you have indexes that lie under the same path (but don't use the volume:<name> tag, Splunk will complain on startup. I believe that the complaint is words to the effect of "this index is under a volume, but not part of it, volume retention rules won't work."
As a best practice, I've always been in the habit of re-defining the homePath and coldPath of each index.