Move an index
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Move an index
You can move your Splunk index from one location to another.
Please note: do not try to break up and move parts of an index filesystem manually. If you need to subdivide an existing index, contact Splunk Support for assistance.
We'll use the example destination /foo/bar in the instructions below.
Configuration
- First, make sure the target filesystem has enough space - at least 1.2 times the size of the total amount of raw data you plan to index.
- Second, make sure the target directory has the correct permissions so that your splunkd process will be able to write to files there.
# mkdir /foo/bar # chown splunk /foo/bar/ # chmod 755 /foo/bar/
- When the new index home is ready, stop the server (if it is running) from Splunk's CLI.
- To use Splunk's CLI, navigate to the
$SPLUNK_HOME/bin/directory and use the./splunkcommand. You can also add Splunk to your path and use thesplunkcommand.
- To use Splunk's CLI, navigate to the
# ./splunk stop
- Copy the existing index filesystem to its new home.
# cp -r $SPLUNK_DB/* /foo/bar/
- Edit your
$SPLUNK_HOME/bin/setSplunkEnvfile.
# vi $SPLUNK_HOME/bin/setSplunkEnv
- Inside
setSplunkEnv, change theSPLUNK_DBvariable to point to your new index directory.
SPLUNK_DB=/foo/bar
Please note: ensure that the path $SPLUNK_HOME/var/lib/splunk/searches exists. Splunk will save a small amount of index data here and without it your index will appear to vanish. This issue will be addressed in 3.0.2.
- Start the server.
# ./splunk start
The Splunk Server should pick up where it left off, reading from and writing to the new copy of its old index filesystem.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.