Change partition of where the search data is queue...

kholleran · ‎10-14-2011

Hi,

I am sure the answer is out there but I am not exactly sure how to ask the question.

My Splunk server has two partitions, one for the OS & Applications, a second for the data. My Splunk Data is stored on the data partition. However, when a search is run, it decompresses the data (or something like that) to the application directory. For large time frame searches, it is eating up a lot of disk space on the OS/App partition. I would like this to happen on the data partition.

How can I move the location for this?

Thank you very much for any help. I am sure it is in a config file somewhere, but I am not exactly sure what it would be called to look for it.

Thanks!

Kevin

gkanapathy · ‎10-14-2011

Search results and working space is stored in $SPLUNK_HOME/var/run/splunk/ (Splunk index data is by default in $SPLUNK_HOME/var/lib/splunk). The easiest way to put this onto a different partition is to change that directory path to a symbolic link in another location. On Windows pre-2008, you would use NTFS junctions: http://technet.microsoft.com/en-us/sysinternals/bb896768 or symbolic links on Windows 2008 or later.

Be sure to stop Splunk and copy over the contents, or you'll lose job results.

Be aware that this is different if you have search head pooling enabled, though, as search results are on the shared pool under that configuration, and for SH pooling to work, the shared area must continue to be shared storage, though I believe more recent versions also continue to use the local work space (though less of it).

Change partition of where the search data is queued up

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk