Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Download topic as PDF

Move the index database

You can move the index database from one location to another. You do this by changing the path definition of SPLUNK_DB through the command-line interface of your operating system.

The procedures in this topic assume that the index database is in the default location, created during installation.

If you move individual indexes or parts of an index to separate locations, the procedures in this topic are not valid. For information on the structure of Splunk Enterprise indexes, see How the indexer stores indexes. For information on how to change the location for a single index, see Configure index storage.

Note: Although you can use Splunk Web to change the locations of individual indexes or index volumes, you cannot use it to change the default storage location of indexes, SPLUNK_DB.

For *nix users

Prerequisties

Make sure the target file system has at least 1.2 times the size of the total amount of raw data that you plan to index.

Steps

1. Create the target directory with write permissions for the user that Splunk Enterprise runs as. For example, if Splunk Enterprise runs as user "splunk", give it ownership of the directory:

mkdir /foo/bar
chown splunk /foo/bar/

For information on setting the user that Splunk Enterprise runs as, see Run Splunk Enterprise as a different or non-root user in the Installation Manual.

2. Stop the indexer:

splunk stop

3. Copy the index file system to the target directory:

cp -rp $SPLUNK_DB/* /foo/bar/

4. Unset the SPLUNK_DB environment variable:

unset SPLUNK_DB

5. Change the SPLUNK_DB attribute in $SPLUNK_HOME/etc/splunk-launch.conf to specify the new index directory:

SPLUNK_DB=/foo/bar

6. Start the indexer:

splunk start

The indexer picks up where it left off, reading from, and writing to, the new copy of the index.

7. You can delete the old index database after verifying that the indexer can read and write to the new location.

For Windows users

Prerequisties

Make sure the target drive or directory has at least 1.2 times the size of the total amount of raw data that you plan to index.

Caution: Do not use mapped network drives for index stores.

Steps

1. From a command prompt, make sure that the target directory has permissions that allow the splunkd process to write to that directory:

C:\Program Files\Splunk> D:
D:\> mkdir \new\path\for\index
D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk Enterprise runs as>:F

For more information about determining the user Splunk Enterprise runs as, see Install on Windows in the Installation Manual.

2. Stop the indexer:

splunk stop

You can also use the Services control panel to stop the splunkd and splunkweb services.

3. Copy the existing index file system to the target directory:

xcopy "C:\Program Files\Splunk\var\lib\splunk\*.*" D:\new\path\for\index /s /e /v /o /k

4. Unset the SPLUNK_DB environment variable:

set SPLUNK_DB=

5. Edit the SPLUNK_DB attribute in %SPLUNK_HOME%\etc\splunk-launch.conf to specify the new index directory:

SPLUNK_DB=D:\new\path\for\index

If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, remove the #.

6. Start the indexer:

splunk start

The indexer picks up where it left off, reading from, and writing to, the new copy of the index.

7. You can delete the old index database after verifying that the indexer can read and write to the new location.

PREVIOUS
Configure index storage
  NEXT
Use multiple partitions for index data

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0


Comments

The instructions seems to be helpful but there is no mention of Hot bucket/Warm bucket. Do we need to take special care if Index directory has Hot buckets as well? In an old documentation I saw mention of Roll over command to convert Hot bucket in cold bucket, do we have to do same thing in Splunk 7.0 as well in order to migrate index?

Praghav1688
October 26, 2017

The *.dat files in $SPLUNK_HOME/var/lib/splunk should be left in that directory, they will continue to be used from that path, regardless of $SPLUNK_DB variable. Those files store the next bucket IDs. (see SPL-91688)

Mhoogcarspel splunk, Splunker
July 24, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters