Use separate partitions for Splunk's datastore
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Use separate partitions for Splunk's datastore
Splunk can use separate disks and partitions for its datastore. Theoretically, you can use any sort of arrangement of disks/partitions so long as you mount them correctly.
The most common way to arrange Splunk's datastore on separate partitions is to keep the hot and warm databases on the local machine, and to keep the cold database on a separate array or disks (for longer term storage). You want to run your hot and warm databases on a machine with partitions that read and write fast (since you'll be doing a majority of your search operations on hot and warm). Cold should be on a reliable array of disks.
You may experience pauses in indexing and searching when you use separate partitions for the datastore.
Set up separate partitions
Set up partitions just as you'd normally set them up in any operating system. Mount the disks/partitions, and make sure Splunk points to the correct path in the configuration files.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.