Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Move the index database

You can move the entire index database from one location to another. The sections in this topic provide procedures for doing so. The procedures assume that the index database is in its default location, created during the original installation.

You can also move individual indexes or parts of an index to separate locations. Once you do so, the procedures in this topic are no longer valid. For detailed information on the structure of Splunk indexes, read "How Splunk stores indexes". For information on how to change the location(s) for a single index, read "Configure index storage".

For *nix users

1. Make sure the target file system has enough space - at least 1.2 times the size of the total amount of raw data you plan to index.

2. Create the target directory and make sure it has write permissions for the user Splunk runs as. For example, if Splunk runs as user "splunk", give it ownership of the directory:

mkdir /foo/bar
chown splunk /foo/bar/

For information on setting the user that Splunk runs as, read this topic.

3. When the new index home is ready, stop Splunk. Navigate to the $SPLUNK_HOME/bin/ directory and run this command:

splunk stop

4. Copy the existing index file system to its new home:

cp -rp $SPLUNK_DB/* /foo/bar/

5. Unset the SPLUNK_DB environment variable:

unset SPLUNK_DB

6. Edit ./etc/splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:

SPLUNK_DB=/foo/bar

7. Start Splunk. Navigate to $SPLUNK_HOME/bin/ and run this command:

splunk start

The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.

8. You can delete the old index database after verifying that Splunk can read and write to the new location.

For Windows users

1. Make sure the target drive or directory has enough space available.

Caution: Using mapped network drives for index stores is strongly discouraged and not supported.

2. From a command prompt, go to your target drive and make sure the target directory has the correct permissions, so that the splunkd process can write to files there:

C:\Program Files\Splunk> D:
D:\> mkdir \new\path\for\index
D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk runs as>:F

For more information about determining the user Splunk runs as, review this topic on installing Splunk on Windows.

Note: Windows Vista, 7, Server 2003 and Server 2008 users can also use icacls to ensure directory permissions are correct; this Microsoft TechNet article gives information on specific command-line arguments.

3. Stop Splunk. Navigate to the %SPLUNK_HOME%\bin directory and run this command:

splunk stop

Note: You can also use the Services control panel to stop the Splunkd and SplunkWeb services.

4. Copy the existing index file system to its new home:

xcopy C:\Program Files\Splunk\var\lib\splunk\*.* D:\new\path\for\index /s /e /v /o /k

5. Unset the SPLUNK_DB environment variable:

set SPLUNK_DB=

6. Edit %SPLUNK_HOME%\etc\splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:

SPLUNK_DB=D:\new\path\for\index

Note: If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, the line is commented out, and the # needs to be removed.

7. Start Splunk. Navigate to the %SPLUNK_HOME%\bin directory and run this command:

splunk start

The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.

8. You can delete the old index database after verifying that Splunk can read and write to the new location.

Use Splunk Web to change the path to indexes

You can use Splunk Web to change the path to your indexes. Unlike the earlier procedures that actually move the indexes, when you change the path in Splunk Web, it only affects new data coming into your indexes. For that reason, it's recommended that you use Splunk Web for this purpose only for a new indexer - before you start adding data to it.

To change the path:

1. Go to Manager>System settings>General settings.

2. Under the Index settings section on that page, go to the field Path to indexes.

3. Enter a new path in that field. This is where you want newly indexed data to reside.

4. Unset the SPLUNK_DB environment variable, if it's currently set in your environment:

  • For *nix, on the command line, type:
unset SPLUNK_DB
  • For Windows, on the command line, type:
set SPLUNK_DB=

5. Use the CLI to restart Splunk. Navigate to $SPLUNK_HOME/bin/ (*nix) or %SPLUNK_HOME%\bin (Windows) and run this command:

splunk restart

Important: Do not use the restart function inside Splunk Web. This will not have the intended effect of causing the index directory to change. You must restart from the CLI.

PREVIOUS
Configure index storage
  NEXT
Use multiple partitions for index data

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

For the windows instructions, the xcopy command needs to have inverted commas around the source directory. such as xcopy "C:\Program Files\Splunk\var\lib\splunk\*.*" D:\Splunk\Index /s /e /v /o /k

Otherwise the command will fail with invalid number of parameters error.

Johnkitson
July 14, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters