Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do the splunk indexers need to be stopped before rolling hot buckets to warm ?

tevgey23
Explorer
‎08-02-2012 06:09 AM

I need to roll some hot buckets from hot to cold and I wanted to know if the splunk indexers need
to be stopped before hand ?

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎08-02-2012 07:55 AM

Why do you need to do this? Splunk will take care of this automatically, and it is best to let Splunk do it.

If you really need to make a change in how your buckets are managed, you should change your settings in indexes.conf.
However, you will still need to restart your indexers in order for the changes to take effect.

And BTW, when you restart the indexers, all hot buckets are closed and rolled automatically. if you have multiple indexers and are doing load-balanced forwarding, you should be able to restart each indexer one at a time, without affecting the indexing in any way. Of course, running searches would probably be affected. Even if you have only one indexer, you should be able to restart it cleanly, as the forwarders will cache while the indexer is unavailable.

I would NOT roll any buckets by hand. If you think you have such a severe problem that this is required, I recommend that you contact Support first.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...