Solved: Can someone explain the Splunk 6 clustered bucket ...

sonicZ · ‎10-16-2014

I am familiar with the old db bucket naming convention
db_latesttime_earliesttime_idnum

But what's the deal with splunk5/6 clustered buckets naming conventions?
I can tell some dirs use the instance name from $SPLUNK_HOME/splunk/etc/instance.cfg in their name and guessing that's how a replicated bucket keeps its instance name.
For example one difference i see, What does the rb_ prefix mean before some of these buckets?

drwx------ 3 root root 4096 Oct 11 04:25 rb_1410795640_1410470068_3_A44F2765-BC19-4248-8306-8373E48E524F
drwx------ 3 root root 4096 Oct 11 06:11 rb_1410795914_1410486747_3_F3CA4477-E3B7-4D55-A0B8-9FD89D030A75

Also Is it safe to move cold or warm buckets around when in a cluster environment?

sowings · ‎10-16-2014

rb_ is a replicated bucket. The GUID appearing after the bucket ID (A44* or F3C* in your case) is the GUID of the indexer that received the events initially.

View solution in original post

dxu_splunk · ‎10-16-2014

http://docs.splunk.com/Documentation/Splunk/6.1.4/Indexer/HowSplunkstoresindexes#Warm.2Fcold_bucket_...

it is safe to move the buckets (assuming splunk is not running) amongst the directories

sowings · ‎10-16-2014

rb_ is a replicated bucket. The GUID appearing after the bucket ID (A44* or F3C* in your case) is the GUID of the indexer that received the events initially.

Can someone explain the Splunk 6 clustered bucket directory structure/naming conventions?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...