Our indexers have two volumes configured:
[volume:cold_vol]
path = /opt/splunk/var/lib/splunk_cold/colddb
maxVolumeDataSizeMB = 70000000
[volume:warm_vol]
path = /opt/splunk/var/lib/splunk/warm_vol
maxVolumeDataSizeMB = 358000
Here is the output of df:
[root@security-splunk-indexer-01001 local]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 263961732 0 263961732 0% /dev
tmpfs 263978416 68 263978348 1% /dev/shm
tmpfs 263978416 4211840 259766576 2% /run
tmpfs 263978416 0 263978416 0% /sys/fs/cgroup
/dev/sda4 10435584 6149488 4286096 59% /
/dev/sda2 519852 170676 349176 33% /boot
/dev/sda5 376918204 372549972 4368232 99% /opt/splunk/var/lib/splunk
/dev/sdb1 76794778604 790009404 76004769200 2% /opt/splunk/var/lib/splunk_cold
/dev/sda1 522984 9744 513240 2% /boot/efi
tmpfs 52795684 0 52795684 0% /run/user/5905
For some reason, the warm bucket volume is at 99% utilization, but the buckets aren't rolling to the cold volume. The value of maxVolumeDataSizeMB is smaller than the total size of the volume.
Any idea why these buckets aren't rolling?
↧