Deployment Architecture

indexes.conf stopping my search heads from starting.

willsy
Communicator

hello,

i just want to confirm / clarify if what i am about to do is correct. i have read the index guides, indexes guides and cluster guides.

When my splunk multi site and clustered approach died my indexed data was no longer searchable and my search heads in particular would not turn on. it gave me a db error. i did some fault finding and effectively the homepath to my indexed data was both not writable anymore and also in the wrong place (PS architect that built the environment and put it in this specific location)

so my question....

If i change the indexes.conf file to have the location of the indexed data to
"servername/D:/Splunk/hotdb"
"servername/D:/Splunk/colddb"
"servername/D:/Splunk/thaweddb"

servername being the specific networked name of the new storage array.

will that allow me to store the data there and will it be searchable? yes i will ensure ability to write to that location.

part 2: what other specific files need to be changed on a multi site clustered indexer environment in order to make this work? i have a cluster master, license master, deployment server. 3 x indexers in each location and 1x SH in each location.

it is still in test so losing the data isnt actually a drama, i just want a correctly working area first.

part 3: due to monetary constraints the second site at the moment does not have its own data storage array and will for the moment be using the first sites storage.... when i get this storage will i then have to change the indexes.conf file on the second site to this...

"servernamesite2/D:/Splunk/hotdb"
"servernamesite2/D:/Splunk/colddb"
"servernamesite2/D:/Splunk/thaweddb"

any help is greatly appreciated.

willsy

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Firstly, moving data location by altering indexes.conf while the server is stopped is fine and should be transparent.

Secondly, I am not sure how your storage array is being presented to the operating system, but if its through an Windows share, then I am pretty sure that is not supported. Technically it may work, but you need to make sure its very quick storage. The most component for Splunk (IMHO) is having fast storage above all else.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...