Deployment Architecture

What are the .sentinel files in $SPLUNK_DB for?

mctester
Communicator

I was moving some buckets around to make some space on my main storage volume. I know the db_* directories are complete buckets and can be moved around easily, but I noticed there's also a *.sentinel file for every bucket.

1) What does this file do?

2) Do I need to move it around with the bucket?

3) If I drop a bucket into another instance to read the data there, does that instance need the .sentinel file too?

Tags (2)
1 Solution

jrodman
Splunk Employee
Splunk Employee

The .sentinel files are used on Splunk for win32/win64 as part of the locking strategy, to ensure exclusive access to buckets for certain types of modifications. Windows doesn't allow locking calls on directories with the same semantics as we desired.

They are mostly useless on a unix-based system, but in the interests of the index data format being able to traverse platforms are produced nonetheless.

Best practice is to move the .sentinel with the bucket it goes with.

View solution in original post

Lowell
Super Champion

Just to follow up on jrodmans comment about stale sentinel files. Perhaps some one will find this useful.

Here is a short script I wrote which searches your index folder for .sentinel files without a matching bucket. You can use the output to quickly remove these files (or event have them be removed directly by uncommenting a line in the script).


Code listing for lone_sentinel.py:

#!/usr/bin/python
import os

SENTINEL = ".sentinel"

def find_sentinels(path):
    for (root, dirs, files) in os.walk(path):
        if "rawdata" in dirs:
            dirs.remove("rawdata")
        for fn in files:
            if fn.endswith(SENTINEL):
                yield os.path.join(root, fn)

def find_lone_sentinels(path):
    for sentinel in find_sentinels(path):
        bucket = sentinel[:-len(SENTINEL)]
        if not os.path.isdir(bucket):
            print sentinel
            # To remove these files, uncomment the next line
            #os.unlink(sentinel)

if __name__ == '__main__':
    import sys
    if len(sys.argv) > 2:
        path = sys.arvg[1]
    else:
        path = os.environ["SPLUNK_DB"]
    find_lone_sentinels(path)

jrodman
Splunk Employee
Splunk Employee

Woohoo, generators.

0 Karma

jrodman
Splunk Employee
Splunk Employee

The .sentinel files are used on Splunk for win32/win64 as part of the locking strategy, to ensure exclusive access to buckets for certain types of modifications. Windows doesn't allow locking calls on directories with the same semantics as we desired.

They are mostly useless on a unix-based system, but in the interests of the index data format being able to traverse platforms are produced nonetheless.

Best practice is to move the .sentinel with the bucket it goes with.

jrodman
Splunk Employee
Splunk Employee

Sure, but I don't like leaving stale ones lying around.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Note that if Splunkd is down (which it should be if you're moving buckets around manually), the .sentinel files don't matter at all, even on Windows. You can delete them or not, and they will be recreated as necessary. Note that they are always just empty (zero-byte) files.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...