Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to store a recovered index database in a new file system separate from the Splunk installation folder?

aniello_cerrato
Path Finder
‎10-21-2016 08:37 AM

Hi,

I have to install Splunk on a new Linux machine.

I would like to know if it is possible to install Splunk on a file system and store the information recovered from databases, VMWare and others on another file system different from Splunk installation folder.

Thanks,
Aniello

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2016 09:03 AM

if you want to put all indexes on a different filesystem, you have to modify $SPLUNK_DB variable that you can find in /opt/splunk/etc/splunk-launch.conf.

Otherwise, if you want to put only some indexes, you have to move them in the new location, following some steps:

  • stop Splunk
  • modify in $SPLUNK_HOME/etc/apps/yourapp/local/indexes.conf the index location (db, colddb thaweddb)
  • copy files and directories from $SPLUNK_HOME/var/lib/splunk/myindex to newlocation/myindex
  • restart Splunk. if you want, you could also put hot and work buckets in a filesystem and cold buckets in another one (less performing and less expensive) using different locations in indexes.conf.

If you want to do this on a new index, you can do it also by web gui.

Every way you can find a full description in:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Moveanindex

Bye.
Giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎10-21-2016 09:06 AM

On my splunk-launch.conf there are the following entry, I have to add a new entry?

#   Version 6.5.0

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
# SPLUNK_HOME=C:\Program Files\Splunk

# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var\lib\splunk subdirectory.  This can be overridden
# here:
#
# SPLUNK_DB=C:\wrangler-2.0\build-home\ivory\var\lib\splunk
# Splunkd service name
SPLUNK_SERVER_NAME=Splunkd

# Splunkweb service name
SPLUNK_WEB_NAME=splunkweb
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎10-21-2016 08:57 AM

From here: https://answers.splunk.com/answers/63848/changing-splunk-db-location.html

Stop Splunk, move the data, change the indexes.conf file to point to the new location. If you're moving not just one index, but the entire $SPLUNK_DB directory, you can instead edit the splunk-launch.conf file and modify the SPLUNK_DB setting. Then start Splunk up again.

Doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Moveanindex

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...