Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to store a recovered index database in a new file system separate from the Splunk installation folder?

aniello_cerrato
Path Finder
‎10-21-2016 08:37 AM

Hi,

I have to install Splunk on a new Linux machine.

I would like to know if it is possible to install Splunk on a file system and store the information recovered from databases, VMWare and others on another file system different from Splunk installation folder.

Thanks,
Aniello

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2016 09:03 AM

if you want to put all indexes on a different filesystem, you have to modify $SPLUNK_DB variable that you can find in /opt/splunk/etc/splunk-launch.conf.

Otherwise, if you want to put only some indexes, you have to move them in the new location, following some steps:

  • stop Splunk
  • modify in $SPLUNK_HOME/etc/apps/yourapp/local/indexes.conf the index location (db, colddb thaweddb)
  • copy files and directories from $SPLUNK_HOME/var/lib/splunk/myindex to newlocation/myindex
  • restart Splunk. if you want, you could also put hot and work buckets in a filesystem and cold buckets in another one (less performing and less expensive) using different locations in indexes.conf.

If you want to do this on a new index, you can do it also by web gui.

Every way you can find a full description in:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Moveanindex

Bye.
Giuseppe

0 Karma
Reply

aniello_cerrato
Path Finder
‎10-21-2016 09:06 AM

On my splunk-launch.conf there are the following entry, I have to add a new entry?

#   Version 6.5.0

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
# SPLUNK_HOME=C:\Program Files\Splunk

# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var\lib\splunk subdirectory.  This can be overridden
# here:
#
# SPLUNK_DB=C:\wrangler-2.0\build-home\ivory\var\lib\splunk
# Splunkd service name
SPLUNK_SERVER_NAME=Splunkd

# Splunkweb service name
SPLUNK_WEB_NAME=splunkweb
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎10-21-2016 08:57 AM

From here: https://answers.splunk.com/answers/63848/changing-splunk-db-location.html

Stop Splunk, move the data, change the indexes.conf file to point to the new location. If you're moving not just one index, but the entire $SPLUNK_DB directory, you can instead edit the splunk-launch.conf file and modify the SPLUNK_DB setting. Then start Splunk up again.

Doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Moveanindex

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...