How to properly configure and monitor index retention in an indexer cluster?
We have moved to a new 3-Indexer environment with Index Replication from a 1-Indexer environment. We moved all of the buckets from the old environment to the 3 new Indexers, split up evenly in their...
View ArticleHow to maximize the use of SSD for hot/warm data?
Greetings fellow delvers of the deep data.... We recently made some changes to indexes.conf because we were not sure the config was doing what we wanted it to do. The result of that poorly considered...
View ArticleWhy am I unable to see cold path in Splunk?
for an index, i specified the following: [abc] homePath = $SPLUNK_DB/abc/db coldPath = $SPLUNK_DB/abc/colddb thawedPath = $SPLUNK_DB/abc/thaweddb since i used "$SPLUNK_DB" i don't see it in...
View ArticleIs this 180 day retention policy configuration in indexes.conf appropriate?
Hi, We are are setting up our indexes to all have a retention policy of 180 total days. 10 days in hot/warm and 170 in cold. Below is a sample stanza that we plan to setup for each index. Can we get...
View ArticleWhy is the retention policy not working on certain indexes (to delete indexed...
Hi All, Currently we facing a storage issue in one of the indexer instances, though the retention policy has set for an year and it works for most of the indexes and only for few of the indexes we...
View ArticleAdd / Remove desired indexes in / from the search
I'm using this search => index=_internal source="*license_usage.log" type=usage idx="f*" | eval MB = round(b/1048576,2) | eval idx = idx | timechart span=1d sum(MB) by idx limit=0 | rename _time as...
View ArticleSplunk App and Add-on for Unix and Linux: How to change the default index...
We're using the Splunk App for Unix and Linux and the Splunk Add-on for Unix and Linux to capture host metrics from our forwarders. I actually have 2 questions. How to you change the default index name...
View ArticleWhy is cluster master not showing custom indexes in Indexer Clustering:Master...
I have a test environment and a production environment and have what appear to be identical settings with different results. In our production environment I am able to see our newly created indexes in...
View ArticleIs there a way to set the default in indexes.conf for a value?
All, I am rewriting my indexes.conf file. It had gotten pretty ugly over the years. I find myself writing the same values over and over again. Is there anyway to declare defaults? For example, the...
View ArticleWhy do I receive error "Problem in indexer : Problem parsing indexes.conf:...
Hello , I have a distributed architecture of Splunk Search Head with Splunk Enterprise Security and an indexer . I get suddenly this error message on the indexer and it's stopped "Problem parsing...
View ArticleProblem indexes.conf splunkd not restarting !
Hello , I have a distributed architecture of Splunk SH with Splunk ES and an indexer . I get suddenly this error message on the indexer and it's stopped I had that message error when I restart splunkd...
View ArticleCan not configure the coldToFrozenDir directories but have all permissions
Hello again everyone, I wrote an indexes.conf to set up an area for frozen data in a Windows Server 2012 R2, Splunk 6.5.2 single server instance in an EMC isilon drive, SMB (Server Message Block)...
View Articleindexes.conf and setting volumes globally
Hi - I am re-architecting our Splunk environment. I have mounted various volumes to each of my indexers (3 total) for hot, warm and cold buckets. To do this I have set volumes in an indexes.conf file I...
View Articlehow to search in default indexes (not only one) in one app without providing...
Hello folks There is a way to configure which indexes belongs which splunk app. Is there also a way to configure in app to tell splunk per default which indexes to search through. Let's say I have...
View ArticleSplunk Newbie: Configuring hot and cold storage on 2 separate volumes (AWS)
Using Splunk Enterprise 6.5.3 Hello, I have recently downloaded Splunk Enterprise on an AWS linux instance and have mounted a fast volume and and a large storage volume. These are the following...
View ArticleMy warm bucket moves straight to frozen and I don't know why?
This is my indexes.conf: *[volume:hot] path = /data/hot maxVolumeDataSizeMB = 8500 [volume:cold] path = /data/cold maxVolumeDataSizeMB = 10500 [myindex] homePath = volume:hot/myindex/db coldPath =...
View ArticleWhy does the newest warm bucket roll to cold instead of the oldest warm bucket?
This is my indexes.conf file: # volume definitions [volume:hot] path = /data/hot maxVolumeDataSizeMB = 8500 [volume:cold] path = /data/cold maxVolumeDataSizeMB = 10500 # index definition (calculation...
View ArticleWhen increasing retention time on index in...
I increased the retention time of an index from 30 days to 13 months on the cluster master, in $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf and applied the bundle. Splunk shows...
View ArticleClarification - indexes.conf
This is my indexes.conf configuration [volume:hot_warm] path = /store/hot_warm maxVolumeDataSizeMB = 1450000 [volume:cold] path = /store/cold maxVolumeDataSizeMB = 9400000 [pan] homePath =...
View ArticlemaxHotSpanSecs not rolling hot buckets
I use "maxHotSpanSecs" to cut the size of each bucket received. Only join "maxHotSpanSecs = 2592000" (30d) in test of local/indexes.conf (index=test) Execution results: Each bucket is greater than 30...
View Article