All Apps and Add-ons

Splunk Amazon AMI is using the root partition to store data. How do I change it?

mataharry
Communicator

I Installed an Amazon Ubuntu using the preconfigured splunk AMI.
Splunk is installed on /opt/splunk, with the indexes and the dispatch folder

The problem is that my root "/" partition is very small (2GB), and the indexes are filling it.
in particular /opt/splunk/var/lib/splunk with the indexes.
How to relocate the indexes to a larger partition that I mounted (EBS in my case) ?

Tags (3)
1 Solution

yannK
Splunk Employee
Splunk Employee

Let's imagine you have a new mount /splunkdata/ and want to use this space.

You have 4 methods to free space on the root "/" partition.

  • A way is to more/reinstall splunk to the new storage
    by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path

    at the end recreate, the service with /path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-start

  • Use a Simlink but this does not play well with the size volume calculation.

    /opt/splunk/bin/splunk stop

    move the index data to the new location

    cp -R /opt/splunk/var/lib/splunk /splunkdata/

    remove the folder

    rm -rf /opt/splunk/var/lib/splunk

    create the symlink

    ln -s /splunkdata/ /opt/splunk/var/lib/splunk
    ls -la /opt/splunk/var/lib

  • Meticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
    http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex

  • The easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.

the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk

/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv  /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine 
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.

I recommend the last method, and redefine SPLUNK_DB

View solution in original post

yannK
Splunk Employee
Splunk Employee

Let's imagine you have a new mount /splunkdata/ and want to use this space.

You have 4 methods to free space on the root "/" partition.

  • A way is to more/reinstall splunk to the new storage
    by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path

    at the end recreate, the service with /path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-start

  • Use a Simlink but this does not play well with the size volume calculation.

    /opt/splunk/bin/splunk stop

    move the index data to the new location

    cp -R /opt/splunk/var/lib/splunk /splunkdata/

    remove the folder

    rm -rf /opt/splunk/var/lib/splunk

    create the symlink

    ln -s /splunkdata/ /opt/splunk/var/lib/splunk
    ls -la /opt/splunk/var/lib

  • Meticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
    http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex

  • The easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.

the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk

/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv  /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine 
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.

I recommend the last method, and redefine SPLUNK_DB

mataharry
Communicator

It was quick.

I redefined the SPLUNK_DB and moved my data, I have now 500GB of Storage on the new partition for the indexes.
Later, I will need to add more Partitions, and will use the homePath and coldPath to relocate some indexes on it.

johnklaiber
New Member

Hello, I'm looking to implement this "easiest method" solution and for some reason our latest version of Splunk does not have the "/opt/splunk/splunk-launcher.cfg" file. We are version 7.3.0, has something changed since this original posting?

0 Karma

johnklaiber
New Member

Well, I actually found the answer in documentation and it may be appropriate for the details to be outlined here in this case for others seeking an answer.

Newer versions of Splunk will now have this value edited in:
/opt/splunk/etc/splunk-launch.conf

Cheers!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@johnklaiber This question is 5 years old with an accepted answer. It's also outdated. Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...