I Installed an Amazon Ubuntu using the preconfigured splunk AMI.
Splunk is installed on /opt/splunk
, with the indexes and the dispatch folder
The problem is that my root "/" partition is very small (2GB), and the indexes are filling it.
in particular /opt/splunk/var/lib/splunk
with the indexes.
How to relocate the indexes to a larger partition that I mounted (EBS in my case) ?
Let's imagine you have a new mount /splunkdata/ and want to use this space.
You have 4 methods to free space on the root "/" partition.
A way is to more/reinstall splunk to the new storage
by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path
at the end recreate, the service with /path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-start
Use a Simlink but this does not play well with the size volume calculation.
/opt/splunk/bin/splunk stop
cp -R /opt/splunk/var/lib/splunk /splunkdata/
rm -rf /opt/splunk/var/lib/splunk
ln -s /splunkdata/ /opt/splunk/var/lib/splunk
ls -la /opt/splunk/var/lib
Meticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
The easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.
the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk
/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.
I recommend the last method, and redefine SPLUNK_DB
Let's imagine you have a new mount /splunkdata/ and want to use this space.
You have 4 methods to free space on the root "/" partition.
A way is to more/reinstall splunk to the new storage
by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path
at the end recreate, the service with /path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-start
Use a Simlink but this does not play well with the size volume calculation.
/opt/splunk/bin/splunk stop
cp -R /opt/splunk/var/lib/splunk /splunkdata/
rm -rf /opt/splunk/var/lib/splunk
ln -s /splunkdata/ /opt/splunk/var/lib/splunk
ls -la /opt/splunk/var/lib
Meticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex
The easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.
the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk
/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.
I recommend the last method, and redefine SPLUNK_DB
It was quick.
I redefined the SPLUNK_DB and moved my data, I have now 500GB of Storage on the new partition for the indexes.
Later, I will need to add more Partitions, and will use the homePath and coldPath to relocate some indexes on it.
Hello, I'm looking to implement this "easiest method" solution and for some reason our latest version of Splunk does not have the "/opt/splunk/splunk-launcher.cfg" file. We are version 7.3.0, has something changed since this original posting?
Well, I actually found the answer in documentation and it may be appropriate for the details to be outlined here in this case for others seeking an answer.
Newer versions of Splunk will now have this value edited in:
/opt/splunk/etc/splunk-launch.conf
Cheers!
@johnklaiber This question is 5 years old with an accepted answer. It's also outdated. Please post a new question.