temporarily disable archiving

jarush · ‎05-22-2020

We need to move our archives to different storage and I'm looking for a way to blast this out to our 48 indexers all at once rather than needing to walk through it indexer by indexer. I want to make sure we don't lose any in-flight writes while I swap the NFS mounts for the archive directory on each indexer and I can't see a way to do that outside of stopping Splunk on the node.

It doesn't look like maintenance mode will do this.

Best I have is for each node:
1. Drop cluster to maintenance mode
2. splunk stop on node
3. mount old archive to temp location
4. mount new archive to permanent location
5. splunk start

Then at the end I can kick off a script to move all the old data off to the new location.

Is there a magically way to tell Splunk to just stop archiving for a few minutes so I can make the mount swap?

shivanshu1593 · ‎05-22-2020

With your condition to move the data, but not stop the in-flight writes, I think the best and the safest bet is to go with the steps that you've described. I don't believe there's an easy way out for you.

As always, as the last resort, you can open up a support ticket and ask Splunk directly. But with my experience with them, they'll suggest you to to go with your steps only.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

temporarily disable archiving

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes