Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
USCIS
/
splunk_colddb_migration
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne

Ansible scripts to assist in the migration of colddb to a new filesystem.

Atzars: master
Atzari Tagi
splunk_colddb_m...
ZIP TAR.GZ
Fred Damstra b77141237f Resolved conflicts. 8 gadi atpakaļ
files 98f9b58ab6 Initial commit. 8 gadi atpakaļ
tasks 98f9b58ab6 Initial commit. 8 gadi atpakaļ
README.md b77141237f Resolved conflicts. 8 gadi atpakaļ

README.md

Playbook to Migrate ColdDB to the SplunkCold Filesystem

Notes: The scripts now support multiple folders at once, so this readme may be slightly out of date, but multiple folders should be straightforward if you look at the playbook.

Expectations: Old cold path is /opt/splunk/var/lib/splunk//colddb New cold path is /opt/splunk/var/lib/splunkcold//colddb

Ansible Method:

Step 1:

Recommendation: Use Screen so you don't lose your session!

ansible-playbook install_rsync --extra-vars="target=TARGETS" ansible-playbook rsync_colddb --extra-vars="target=TARGETS folder=FOLDERNAME"

Watch progress in another window with: watch --interval 30 'ansible TARGETS --sudo --sudo-user=splunk -m shell -a "du -h --summarize /opt/splunk/var/lib/splunk/FOLDER/colddb /opt/splunk/var/lib/splunkcold/FOLDER/colddb"'

Step 2:

Run a search for year-to-date | tstats count where index=FOLDER by _time span=1d. Keep this window open for comparison at the end.

ansible-playbook install_rsync --extra-vars="target=Indexers" ansible-playbook rsync_colddb --extra-vars="target=Indexers folder=FOLDERNAME"

Watch progress in another window with: watch 'du -h --summarize splunk/FOLDERNAME/colddb splunkcold/FOLDERNAME/colddb/; echo ""; ps auxfw | grep rsync'

Step 2:

Run a search for year-to-date | tstats count where index=FOLDERNAME by _time span=1d. Keep this window open for comparison at the end.

On the MN:

# Enable maintenance mode: 
sudo -u splunk /opt/splunk/bin/splunk enable maintenance-mode
# Backup indexes.conf
sudo -u splunk cp /opt/splunk/etc/master-apps/_cluster/local/indexes.conf{,.20170725}
# Edit indexes.conf
sudo -u splunk vi /opt/splunk/etc/master-apps/_cluster/local/indexes.conf

If it doesn't exist, add the volume:

[volume:coldvol]
path = /opt/splunk/var/lib/splunkcold

Modify the index you are working on and add:

coldPath = volume:coldvol/<indexname>/colddb

DO NOT apply the bundle. DO NOT let anybody /else/ apply the bundle. Transfer indexes.conf to the ansible master into <ansible_home>/os_modifications/roles/splunk_colddb_migration/files/indexes.conf

On the MN, run: watch sudo -u splunk /opt/splunk/bin/splunk show cluster-status

Step 3:

For each indexer, run from ansible server:

ansible-playbook migrate_single_indexer --extra-vars="target=IP folder=FOLDERNAME"

  • Check the cluster status before moving onto the next indexer! It takes a minute or two after starting before the indexer is back operational *

To verify you hit everybody, run: ansible --sudo --sudo-user=splunk Indexers -m shell -a "ls /opt/splunk/var/lib/splunk/FOLDER/colddb/". You should get error messages from every host.

Step 4: Disable maintenance mode, apply cluster bundle:

sudo -u splunk /opt/splunk/bin/splunk show maintenance-mode
sudo -u splunk /opt/splunk/bin/splunk disable maintenance-mode
sudo -u splunk /opt/splunk/bin/splunk show cluster-bundle-status
sudo -u splunk /opt/splunk/bin/splunk validate cluster-bundle
sudo -u splunk /opt/splunk/bin/splunk show cluster-bundle-status
sudo -u splunk /opt/splunk/bin/splunk apply cluster-bundle

Step 5: Clean up the /opt/splunk/var/lib/splunk/*/colddb.migrated directories

For the daring: ansible TARGETS --sudo --sudo-user=splunk -m shell -a 'rm -rfv /opt/splunk/var/lib/splunk/FOLDERNAME/colddb.migrated'

####################################################################

Manual Method (Just for reference, use the ansible method above)

1) Do a presync to minimize downtime (can be run multiple times before cutover):

    a. sudo -u splunk mkdir -p /opt/splunk/var/lib/splunkcold/FOLDER/colddb
    b. sudo -u splunk rsync -avz --delete /opt/splunk/var/lib/splunk/FOLDER/colddb /opt/splunk/var/lib/splunkcold/FOLDER/colddb

2) Update the master node:

    a. sudo -u splunk /opt/splunk/bin/splunk enable maintenance-mode 
    b. cp /opt/splunk/etc/master-apps/_cluster/local/indexes.conf{,.20170725}
    c. vi /opt/splunk/etc/master-apps/_cluster/local/indexes.conf
         i. Add:
        [volume:coldvol]
        path = /opt/splunk/var/lib/splunkcold
         ii. Then update the coldPath for FOLDER to be volume:coldvol/indexname/colddb

    d. Do NOT deploy the changes. Make sure EVERYBODY KNOWS, no touching the master node!

3) On each indexer in turn:

    a. sudo su - splunk
    b. /opt/splunk/bin/splunk stop
    c. rsync -avz --delete /opt/splunk/var/lib/splunk/FOLDER/colddb /opt/splunk/var/lib/splunkcold/FOLDER/colddb
    c. rsync -avz --delete /opt/splunk/var/lib/splunk/FOLDERNAME/colddb /opt/splunk/var/lib/splunkcold/FOLDERNAME/colddb
    d. Manually copy the indexes.conf from the master node to /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf
    e. mv /opt/splunk/var/lib/splunk/FOLDERNAME/colddb{,.20170725}
    f. /opt/splunk/bin/splunk btool check
    g. /opt/splunk/bin/splunk start

4) After all indexes are completed, run a search: | tstats count where index=FOLDERNAME by _time span=1d

    a. Year to date. There should not be gaps.

5) If everything checks out, turn off maintenance mode and apply the cluster bundle (if changes were made exactly, no bundle update will go out).