Use multiple partitions for index data
The indexer can use multiple partitions for its index data. It's possible to configure the indexer to use many disks/partitions/filesystems on the basis of multiple indexes and bucket types, so long as you mount them correctly and point to them properly from
indexes.conf. However, for most purposes, the best practice is to use a single high performance file system to hold the index data.
If you do use multiple partitions, the most common way to arrange the index data is to keep the hot/warm buckets on the local machine and to put the cold buckets on a separate array of disks suitable for longer term storage. You'll want to store your hot/warm buckets on a machine with with fast read/write partitions, because most searching will happen there.
Configure multiple partitions
To configure multiple partitions:
1. Set up partitions just as you'd normally set them up in any operating system.
2. Mount the disks/partitions.
3. Edit indexes.conf to point to the correct paths for the partitions. You set paths on a per-index basis, so you can set separate partitions for different indexes. Each index has its own
[<index>] stanza, where
<index> is the name of the index. These are the main path settings:
homePathis the path that contains the hot and warm buckets for the index.
coldPathis the path that contains the cold buckets for the index.
thawedPathis the path that contains any thawed buckets for the index.
See Configure index path attributes for guidelines on defining index paths.
Move the index database
Configure maximum index size
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2