Are there any plans to add compaction of the inter...

mce128 · ‎09-12-2013

Hi,

I was just curious to know if adding the ability to compact the index databases is on the product timeline. It would be very nice to be able to compact the indexes of deleted data when neeeded. Albiet, that in a normally running system, it would only be used on a by exception basis as generally one is not actually deleting event records.

However, there are times when this would be a real life saver instead of having to fully remove and index and then re-index all of your files (if you even have them all for the time period.) After all, re-indexing everything with enough data could take days and throw you way over your license limits and thereby get your ability to search, etc locked out.

One other related question: Can you drop in an index from another host with everything intact, so that a particular host can take over that index as well? Or perhaps, process the index from another host into a newly created index?

gkanapathy · ‎09-12-2013

Have you looked at what the Splunk coldToFrozenDir setting does? it will in fact archive Splunk data to a specific path, and those indexes can be rebuilt/thawed at no cost to license, though it will require time and CPU to rebuild. There is really no other compaction necessary or possible, unless you have been using the "delete" command a lot.

Are there any plans to add compaction of the internal index databases? and one extra related question.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases