Related Answers
Download topic as PDF
Move the index database
You can move the entire index database from one location to another. The sections in this topic provide procedures for doing so. The procedures assume that the index database is in its default location, created during the original installation.
You can also move individual indexes or parts of an index to separate locations. Once you do so, the procedures in this topic are no longer valid. For detailed information on the structure of Splunk Enterprise indexes, read "How the indexer stores indexes". For information on how to change the location(s) for a single index, read "Configure index storage".
For *nix users
1. Make sure the target file system has enough space - at least 1.2 times the size of the total amount of raw data you plan to index.
2. Create the target directory and make sure it has write permissions for the user Splunk Enterprise runs as. For example, if Splunk Enterprise runs as user "splunk", give it ownership of the directory:
mkdir /foo/bar chown splunk /foo/bar/
For information on setting the user that Splunk Enterprise runs as, read this topic.
3. When the new index home is ready, stop the indexer. Navigate to the $SPLUNK_HOME/bin/ directory and run this command:
splunk stop
4. Copy the existing index file system to its new home:
cp -rp $SPLUNK_DB/* /foo/bar/
5. Unset the SPLUNK_DB environment variable:
unset SPLUNK_DB
6. Edit $SPLUNK_HOME/etc/splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:
SPLUNK_DB=/foo/bar
7. Start the indexer. Navigate to $SPLUNK_HOME/bin/ and run this command:
splunk start
The indexer picks up where it left off, reading from, and writing to, the new copy of the index.
8. You can delete the old index database after verifying that the indexer can read and write to the new location.
For Windows users
1. Make sure the target drive or directory has enough space available.
Caution: Using mapped network drives for index stores is strongly discouraged and not supported.
2. From a command prompt, go to your target drive and make sure the target directory has the correct permissions, so that the splunkd process can write to files there:
C:\Program Files\Splunk> D: D:\> mkdir \new\path\for\index D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk Enterprise runs as>:F
For more information about determining the user Splunk Enterprise runs as, review this topic on installing Splunk on Windows.
Note: Windows Vista, 7, Server 2003 and Server 2008 users can also use icacls to ensure directory permissions are correct; this Microsoft TechNet article gives information on specific command-line arguments.
3. Stop the indexer. Navigate to the %SPLUNK_HOME%\bin directory and run this command:
splunk stop
Note: You can also use the Services control panel to stop the splunkd and splunkweb services.
4. Copy the existing index file system to its new home:
xcopy "C:\Program Files\Splunk\var\lib\splunk\*.*" D:\new\path\for\index /s /e /v /o /k
5. Unset the SPLUNK_DB environment variable:
set SPLUNK_DB=
6. Edit %SPLUNK_HOME%\etc\splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:
SPLUNK_DB=D:\new\path\for\index
Note: If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, the line is commented out, and the # needs to be removed.
7. Start the indexer. Navigate to the %SPLUNK_HOME%\bin directory and run this command:
splunk start
The indexer picks up where it left off, reading from, and writing to, the new copy of the index.
8. You can delete the old index database after verifying that the indexer can read and write to the new location.
Use Splunk Web to change the path to indexes
You can use Splunk Web to change the path to your indexes. Unlike the earlier procedures that actually move the indexes, when you change the path in Splunk Web, it only affects new data coming into your indexes. For that reason, it's recommended that you use Splunk Web for this purpose only for a new indexer - before you start adding data to it.
To change the path:
1. Select Settings>Server settings>General settings.
2. Under the Index settings section on that page, go to the field Path to indexes.
3. Enter a new path in that field. This is where you want newly indexed data to reside.
4. Unset the SPLUNK_DB environment variable, if it's currently set in your environment:
- For *nix, on the command line, type:
unset SPLUNK_DB
- For Windows, on the command line, type:
set SPLUNK_DB=
5. Use the CLI to restart the indexer. Navigate to $SPLUNK_HOME/bin/ (*nix) or %SPLUNK_HOME%\bin (Windows) and run this command:
splunk restart
Important: Do not use the restart function inside Splunk Web. This will not have the intended effect of causing the index directory to change. You must restart from the CLI.
|
PREVIOUS Configure index storage |
NEXT Use multiple partitions for index data |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15
Feedback submitted, thanks!