Deployment Architecture

Will Splunk reindex the data files after server restart?

n4247558
New Member

I know that Splunk uses CRC to determine whether the data file has been modified and will index the new inserted data.

I want to know:
1. Where does Splunk store these information? Can we move these information data as files if we deploy Splunk to another server machine?
2. What if we restart Splunk? The whole data files will be reindexed or CRC still applies so that only new inserted data will be indexed?

Thanks!

0 Karma
1 Solution

satishsdange
Builder

Hi -

  1. All raw data is stored in $SPLUNK_HOME/var/lib/splunk directories. Before moving data to another Splunk server, its recommended to take backup. Please refer this link http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Backupindexeddata
  2. Splunk does not reindex raw data after restart unless you clean existing index data.

Hope this helps.

View solution in original post

jrc_seville_it
New Member

Hi,

I had some problems with reindexing after server restart... it seems the problem was caused by the DB Inputs (using DB Connect), that refresh data after restart (even if the refresh interval was set to 10 years).
The solution was to DISABLE the static DB Inputs after indexing the tables for first time.

Regards,

0 Karma

82padarthi
Explorer

Hi

splunk store the information under the fishbucket. this index will have all the details

Regards
Vinod Padarthi

0 Karma

satishsdange
Builder

Hi -

  1. All raw data is stored in $SPLUNK_HOME/var/lib/splunk directories. Before moving data to another Splunk server, its recommended to take backup. Please refer this link http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Backupindexeddata
  2. Splunk does not reindex raw data after restart unless you clean existing index data.

Hope this helps.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...