Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Relocating _internal and _audit, is it safe?

colinj
Path Finder
‎05-02-2012 05:24 PM

_internal and _audit have started to out grow their default location in $SPLUNK_DB. I'd like to relocate them to use the hot and cold mount points that I've created for my indexes. I have some questions?

  1. Is it safe to relocate the _* indexes?
  2. What's the right way to relocate these indexes so that I don't lose any data?
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-02-2012 06:02 PM

There isn't anything particularly dangerous about relocating these to another location / filesystem. Make sure you get indexes.conf correct, of course. (Or just mount the new location right where the old one was). You should plan for splunkd to be down during the change.

Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...