We would like to use a combination of solid state drives for the hot index and slower, cheaper disk for the warm/cold buckets. Is there a way to tell Splunk that the total size of all hot indexes should not exceed a certain size and roll events when that size is reached?
Thanks.
Craig
You can make use of volume notation in indexes.conf for hot and warm. Note that hot and warm should be on the same path. As usual, there is more info here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/indexesconf
indexes.conf
[volume:hot1]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 100000
[volume:cold1]
path = /mnt/big_disk
[idx1]
homePath = volume:hot1/idx1
coldPath = volume:cold1/idx1
[idx2]
homePath = volume:hot1/idx2
coldPath = volume:cold1/idx2
Hope it helps
please upvote if you find this answer useful
You can make use of volume notation in indexes.conf for hot and warm. Note that hot and warm should be on the same path. As usual, there is more info here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/indexesconf
indexes.conf
[volume:hot1]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 100000
[volume:cold1]
path = /mnt/big_disk
[idx1]
homePath = volume:hot1/idx1
coldPath = volume:cold1/idx1
[idx2]
homePath = volume:hot1/idx2
coldPath = volume:cold1/idx2
Hope it helps
please upvote if you find this answer useful