Use separate partitions for Splunk's datastore
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Use separate partitions for Splunk's datastore
Splunk can use separate disks and partitions for its datastore. It's possible to configure splunk to use many disks/partitions/filesystems on the basis of indexes and warm/cold, so long as you mount them correctly and configure the DB rolling. However, we recommend that you use a single high performance file system to hold your Splunk data for the best experience.
Splunk indexes roll through four DB stages:
- Hot - open for writing. Only one of these for each index. Searchable.
- Warm - data rolled from hot. There are many warm DBs. Searchable.
- Cold - data rolled from warm. There are many cold DBs. Searched only when the search specifies a time range included in these files.
- Frozen - buckets entering the frozen state are immediately deleted.
If you do use seperate partitions, the most common way to arrange Splunk's datastore is to keep the hot and warm databases on the local machine, and to keep the cold database on a separate array or disks (for longer term storage). You want to run your hot and warm databases on a machine with partitions that read and write fast (since you'll be doing a majority of your search operations on hot and warm). Cold should be on a reliable array of disks.
Bucket flow:
- The single hot bucket rolls to warm when it reaches the specified size (
maxDataSize) - Buckets roll from warm to cold when the number of warm buckets exceeds the configured maximum count (
maxWarmDBCount) - Buckets stay in cold (or warm) until they are selected for archiving
In the default splunk configuration, you may experience pauses in indexing and searching when you use separate partitions for the datastore. While buckets are being transferred from one partition to another, searches will not run. To alleviate this, you should contact Splunk Support for a warmToColdScript which allows the bucket to be transferred with very minimal pausing.
Set up separate partitions
Set up partitions just as you'd normally set them up in any operating system. Mount the disks/partitions, and make sure Splunk points to the correct path in indexes.conf.
First, add the correct paths in $SPLUNK_HOME/etc/system/local/indexes.conf. Set paths on a per-index basis -- under an [$INDEX] entry.
homePath = <path on server>
- The path that contains the hot and warm databases and fields for the index.
- Databases that are warm have a handle open to them at all times in splunkd.
- CAUTION: Path MUST be writable.
coldPath = <path on server>
- The path that contains the cold databases for the index.
- Cold databases are opened as needed when searching.
- CAUTION: Path MUST be writable.
thawedPath = <path on server>
- The path that contains the thawed (resurrected) databases for the index.
If you put your cold DB on a separate partition, you should set a warmToColdScript in indexes.conf. Set up a script to move your warm DBs from one partition to the partition where you store your cold DBs.
warmToColdScript = <$script>
- Specify a script to run when moving data from warm to cold.
- The script must accept two variables:
- first, the warm directory to be rolled to cold.
- second, the destination in the cold path.
- You only need to set this if you store warm and cold dbs on separate partitions.
- Contact Splunk Support before configuring this setting.
- Since buckets in the splunk db directories must be complete and coherent, a simple copy will cause many problems.
- Defaults to empty.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.