Getting Data In

Who to split up $SPLUNK_DB and colddb

hartfoml
Motivator

I have many indexes on my three indexers. I have attached NSF shares for the colddb. All the indexes are at $SPLUNK_DB/indexname/colddb.

If I stop splunk and copy all the cold buckets to a new share
rsync -Rv --archive */colddb/* /mnt/cs-1/splunk/
How can I pint splunk to the new location at startup?

0 Karma
1 Solution

lycollicott
Motivator

Edit your indexes.conf file and change the cold setting for each index.

For example, change this"

coldPath   = $SPLUNK_DB\defaultdb\colddb

to this:

coldPath =\your_newpath\defaultdb\colddb

View solution in original post

0 Karma

lycollicott
Motivator

Edit your indexes.conf file and change the cold setting for each index.

For example, change this"

coldPath   = $SPLUNK_DB\defaultdb\colddb

to this:

coldPath =\your_newpath\defaultdb\colddb

0 Karma

lycollicott
Motivator

Let me clarify something for you ....

  1. Stop splunk first
  2. Do your rsync
  3. Edit indexes.conf
  4. Start splunk.
0 Karma

hartfoml
Motivator

Part of what @lycollicott suggested solved my problem I created a new veritable in splunk-launch.conf then did a global search and replace in all the indexes.conf for the new veritable to the "colddb = $SPLUNK_COLDDB" This will have to be changed for every new index that is created in the future.

0 Karma

hartfoml
Motivator

thanks but there are many indexes.conf to edit. I was looking for something that would change the default behavior. Perhaps something in the splunk-launch.conf where the defualt SPLUNK_DB is located?

Thanks for the response.

0 Karma

lycollicott
Motivator

Now, wait a minute. Your post indicated that you wanted to move only colddb, right? Well, it you change the value of SPLUNK_DB (which is possible) then that affects your hot/warm buckets as well as cold.

If you want to relocate only your colddb buckets then you have to edit the indexes.conf file.

0 Karma

hartfoml
Motivator

thanks that is the answer I was hoping not to get. I was hoping someone had a way to address where the cold buckets were without having to edit all the indexes.conf for all the the apps that have been installed along with all the data sources that have been added. looks like 86 different indexes to edit in about 14 different indexes.conf files and some are default so I will have to create some new indexes.conf. I was hoping for a better answer that the one you provided.

Thanks for your help 🙂

0 Karma

lycollicott
Motivator

I have never tried this myself, but I wonder if you could create a new variable SPLUNK_COLDDB in splunk-launch.conf. Unfortunately you would still have to edit indexes.conf.

hartfoml
Motivator

That is a great idea. I will try it.

Create Veritable called SPLUNK_COLDDB in splunk-launch.conf
Replace "coldPath = $SPLUNK_DB" with "coldPath = $SPLUNK_COLDDB" in 84 locations

Is there a way to change the default coldPath for newly created indexes

0 Karma

lycollicott
Motivator

I just tried a new variable and it did work. LOL, give me some karma HaHa

0 Karma

ebwong
Loves-to-Learn

Is there another configuration file that I can set the $COLD_DB Variable in so that I can "override" the default configuration from an app?

0 Karma

lycollicott
Motivator

I doubt it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...