Move the index database
Contents
Move the index database
You can move the entire index database from one location to another. The sections in this topic provide procedures for doing so. The procedures assume that the index database is in its default location, created during the original installation.
You can also move individual indexes or parts of an index to separate locations. If you have done so, the procedures in this topic are no longer valid. For detailed information on the structure of Splunk indexes and how to change the location(s) for a single index, read "How Splunk stores indexes".
For *nix users:
1. Make sure the target file system has enough space - at least 1.2 times the size of the total amount of raw data you plan to index.
2. Create the target directory and make sure it has write permissions for the user Splunk runs as. For example, if Splunk runs as user "splunk", give it ownership of the directory:
# mkdir /foo/bar # chown splunk /foo/bar/
For information on setting the user that Splunk runs as, read this topic.
3. When the new index home is ready, stop Splunk. Navigate to the $SPLUNK_HOME/bin/ directory and run the command:
# ./splunk stop
4. Copy the existing index filesystem to its new home:
# cp -rp $SPLUNK_DB/* /foo/bar/
5. Edit ./etc/splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:
SPLUNK_DB=/foo/bar
6. Start Splunk. Navigate to $SPLUNK_HOME/bin/ and use the command:
# ./splunk start
The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.
7. You can delete the old index database after verifying that Splunk can read and write to the new location.
For Windows users:
1. Make sure the target drive or directory has enough space available.
Caution: Using mapped network drives for index stores is strongly discouraged and not supported.
2. From a command prompt, go to your target drive and make sure the target directory has the correct permissions, so that the splunkd process can write to files there:
C:\Program Files\Splunk> D: D:\> mkdir \new\path\for\index D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk runs as>:F
For more information about determining the user Splunk runs as, review this topic on installing Splunk on Windows.
Note: Windows Vista, 7, Server 2003 and Server 2008 users can also use icacls to ensure directory permissions are correct; this Microsoft TechNet article gives information on specific command-line arguments.
3. Stop Splunk. Navigate to the %SPLUNK_HOME%\bin directory and use the command:
> .\splunk stop
Note: You can also use the Services control panel to stop the Splunkd and SplunkWeb services.
4. Copy the existing index filesystem to its new home:
> xcopy C:\Program Files\Splunk\var\lib\splunk\*.* D:\new\path\for\index /s /e /v /o /k
5. Edit %SPLUNK_HOME%\etc\splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:
SPLUNK_DB=D:\new\path\for\index
Note: If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, the line is commented out, and the # needs to be removed.
6. Start Splunk. Navigate to the %SPLUNK_HOME%\bin directory and use the command:
> .\splunk start
The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.
7. You can delete the old index database after verifying that Splunk can read and write to the new location.
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.