I am trying to move a massive amount of events from the main index to a dedicated index for the sourcetype. I am trying to do this by running a search and ...|collect index=dedicated index sourcetype=abc
.
However, it seems like since the dispatch folder is on my / partition I am running out of space. I would like to temporarily move the folder to the same partitions that hosts the indexes since I have plenty of storage.
Any ideas on how to tackle this one?
Thanks
The folder does not have much. I really would suck to do it 1 day at a time for the last 6 months.
Can I rename the main index and then creat another main index or would that mess with Splunk?
As long as the index is defined in indexes.conf, you can move and rename it.
So yes.
Why not emptying the dispatch folder instead,
Or run your searches over a smaller time range ?