I'm running into the same problem running Splunk on AWS (with a small root volume).
Previously moved the indexes to a non root volume. (specified a new splunkdb location in etc/splunk-launch.conf)
I moved the data (don't know if the first step is entirely necessary), symlinked to the external disk and restarted
NOTE: done as the splunk user, and assuming your external volume is mounted at /mnt/data
mkdir /mnt/data/dispatch
mv var/run/splunk/dispatch/* /mnt/data/dispatch/ && rmdir var/run/splunk/dispatch && ln -s /mnt/data/dispatch/ var/run/splunk/dispatch
~/bin/splunk restart
This seems to work for me. There is some report above that the symlink causes problems in previous versions, but I'm not seeing any errors of misbehavior.
... View more