Use multiple partitions for index data
The indexer can use multiple disks and partitions for its index data. It's possible to configure the indexer to use many disks/partitions/filesystems on the basis of multiple indexes and bucket types, so long as you mount them correctly and point to them properly from
indexes.conf. However, we recommend that you use a single high performance file system to hold your index data for the best experience.
If you do use multiple partitions, the most common way to arrange the index data is to keep the hot/warm buckets on the local machine, and to put the cold bucket on a separate array of disks (for longer term storage). You'll want to run your hot/warm buckets on a machine with with fast read/write partitions, since most searching will happen there. Cold buckets should be located on a reliable array of disks.
Configure multiple partitions
To configure multiple partitions:
1. Set up partitions just as you'd normally set them up in any operating system.
2. Mount the disks/partitions.
3. Edit indexes.conf to point to the correct paths for the partitions. You set paths on a per-index basis, so you can also set separate partitions for different indexes. Each index has its own
[<index>] stanza, where
<index> is the name of the index. These are the settable path attributes:
homePath = <path on server>
- This is the path that contains the hot and warm databases for the index.
coldPath = <path on server>
- This is the path that contains the cold databases for the index.
thawedPath = <path on server>
- This is the path that contains any thawed databases for the index.
Move the index database
Configure maximum index size
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14