Move the index database

You can move the index database from one location to another. You do this by changing the path definition of SPLUNK_DB through the command-line interface of your operating system.

The procedures in this topic assume that the index database is in the default location, created during installation.

If you move individual indexes or parts of an index to separate locations, the procedures in this topic are not valid. For information on the structure of Splunk Enterprise indexes, see How the indexer stores indexes. For information on how to change the location for a single index, see Configure index storage.

Note: Although you can use Splunk Web to change the locations of individual indexes or index volumes, you cannot use it to change the default storage location of indexes, SPLUNK_DB.

For *nix users

Prerequisties

Make sure the target file system has at least 1.2 times the size of the total amount of raw data that you plan to index.

Steps

1. Create the target directory with write permissions for the user that Splunk Enterprise runs as. For example, if Splunk Enterprise runs as user "splunk", give it ownership of the directory:

mkdir /foo/bar
chown splunk /foo/bar/

For information on setting the user that Splunk Enterprise runs as, see Run Splunk Enterprise as a different or non-root user in the Installation Manual.

2. Stop the indexer:

splunk stop

3. Copy the index file system to the target directory:

cp -rp $SPLUNK_DB/* /foo/bar/

4. Unset the SPLUNK_DB environment variable:

unset SPLUNK_DB

5. Change the SPLUNK_DB attribute in $SPLUNK_HOME/etc/splunk-launch.conf to specify the new index directory:

SPLUNK_DB=/foo/bar

6. Start the indexer:

splunk start

The indexer picks up where it left off, reading from, and writing to, the new copy of the index.

7. You can delete the old index database after verifying that the indexer can read and write to the new location.

For Windows users

Prerequisties

Make sure the target drive or directory has at least 1.2 times the size of the total amount of raw data that you plan to index.

Caution: Do not use mapped network drives for index stores.

Steps

1. From a command prompt, make sure that the target directory has permissions that allow the splunkd process to write to that directory:

C:\Program Files\Splunk> D:
D:\> mkdir \new\path\for\index
D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk Enterprise runs as>:F

For more information about determining the user Splunk Enterprise runs as, see Install on Windows in the Installation Manual.

2. Stop the indexer:

splunk stop

You can also use the Services control panel to stop the splunkd and splunkweb services.

3. Copy the existing index file system to the target directory:

xcopy "C:\Program Files\Splunk\var\lib\splunk\*.*" D:\new\path\for\index /s /e /v /o /k

4. Unset the SPLUNK_DB environment variable:

set SPLUNK_DB=

5. Edit the SPLUNK_DB attribute in %SPLUNK_HOME%\etc\splunk-launch.conf to specify the new index directory:

SPLUNK_DB=D:\new\path\for\index

If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, remove the #.

6. Start the indexer:

splunk start

The indexer picks up where it left off, reading from, and writing to, the new copy of the index.

7. You can delete the old index database after verifying that the indexer can read and write to the new location.