Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Move the index database

You can move the entire index database from one location to another. The sections in this topic provide procedures for doing so. The procedures assume that the index database is in its default location, created during the original installation.

You can also move individual indexes or parts of an index to separate locations. If you have done so, the procedures in this topic are no longer valid. For detailed information on the structure of Splunk indexes and how to change the location(s) for a single index, read "How Splunk stores indexes".

For *nix users

1. Make sure the target file system has enough space - at least 1.2 times the size of the total amount of raw data you plan to index.

2. Create the target directory and make sure it has write permissions for the user Splunk runs as. For example, if Splunk runs as user "splunk", give it ownership of the directory:

mkdir /foo/bar
chown splunk /foo/bar/

For information on setting the user that Splunk runs as, read this topic.

3. When the new index home is ready, stop Splunk. Navigate to the $SPLUNK_HOME/bin/ directory and run this command:

splunk stop

4. Copy the existing index file system to its new home:

cp -rp $SPLUNK_DB/* /foo/bar/

5. Unset the SPLUNK_DB environment variable:

unset SPLUNK_DB

6. Edit ./etc/splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:

SPLUNK_DB=/foo/bar

7. Start Splunk. Navigate to $SPLUNK_HOME/bin/ and run this command:

splunk start

The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.

8. You can delete the old index database after verifying that Splunk can read and write to the new location.

For Windows users

1. Make sure the target drive or directory has enough space available.

Caution: Using mapped network drives for index stores is strongly discouraged and not supported.

2. From a command prompt, go to your target drive and make sure the target directory has the correct permissions, so that the splunkd process can write to files there:

C:\Program Files\Splunk> D:
D:\> mkdir \new\path\for\index
D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk runs as>:F

For more information about determining the user Splunk runs as, review this topic on installing Splunk on Windows.

Note: Windows Vista, 7, Server 2003 and Server 2008 users can also use icacls to ensure directory permissions are correct; this Microsoft TechNet article gives information on specific command-line arguments.

3. Stop Splunk. Navigate to the %SPLUNK_HOME%\bin directory and run this command:

splunk stop

Note: You can also use the Services control panel to stop the Splunkd and SplunkWeb services.

4. Copy the existing index file system to its new home:

xcopy C:\Program Files\Splunk\var\lib\splunk\*.* D:\new\path\for\index /s /e /v /o /k

5. Unset the SPLUNK_DB environment variable:

set SPLUNK_DB=

6. Edit %SPLUNK_HOME%\etc\splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:

SPLUNK_DB=D:\new\path\for\index

Note: If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, the line is commented out, and the # needs to be removed.

7. Start Splunk. Navigate to the %SPLUNK_HOME%\bin directory and run this command:

splunk start

The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.

8. You can delete the old index database after verifying that Splunk can read and write to the new location.

Use Manager to change the path to indexes

You can use Manager to change the path to your indexes. Unlike the earlier procedures that actually move the indexes, when you change the path in the Manager, it only affects new data coming into your indexes. For that reason, it's recommended that you use the Manager for this purpose only for a new indexer - before you start adding data to it.

To change the path:

1. Go to Manager>System settings>general Settings.

2. Under the Index settings section on that page, go to the field Path to indexes.

3. Enter a new path in that field. This is where you want newly indexed data to reside.

4. Unset the SPLUNK_DB environment variable, if it's currently set in your environment:

  • For *nix, on the command line, type:
unset SPLUNK_DB
  • For Windows, on the command line, type:
set SPLUNK_DB=

5. Use the CLI to restart Splunk. Navigate to $SPLUNK_HOME/bin/ (*nix) or %SPLUNK_HOME%\bin (Windows) and run this command:

splunk restart

Important: Do not use the restart function inside Manager. This will not have the intended effect of causing the index directory to change. You must restart from the CLI.

PREVIOUS
How Splunk stores indexes
  NEXT
Remove indexed data from Splunk

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

This article covers moving indexes, but not deleting them? There seems to be no readily available instructions or menu choices for deleting indexes. It's strange that the application would allow me to create, enable and disable indexes but not delete them.

Ccrayto
October 4, 2012

Jasonstone - Here's a Splunk Answer that might begin to address your issue:<br /><br />http://splunk-base.splunk.com/answers/34946/move-some-contentsource-from-one-index-to-another-index<br /><br />For information more specific to your needs, I suggest you pose your own question in Splunk Answers.

Sgoodman, Splunker
May 23, 2012

How do you spread old data over multiple Splunk indexers when you move from one indexer to many?

Jasonstone
May 23, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters