All Apps and Add-ons

Splunk Amazon AMI is using the root partition to store data. How do I change it?

mataharry
Communicator

I Installed an Amazon Ubuntu using the preconfigured splunk AMI.
Splunk is installed on /opt/splunk, with the indexes and the dispatch folder

The problem is that my root "/" partition is very small (2GB), and the indexes are filling it.
in particular /opt/splunk/var/lib/splunk with the indexes.
How to relocate the indexes to a larger partition that I mounted (EBS in my case) ?

Tags (3)
1 Solution

yannK
Splunk Employee
Splunk Employee

Let's imagine you have a new mount /splunkdata/ and want to use this space.

You have 4 methods to free space on the root "/" partition.

  • A way is to more/reinstall splunk to the new storage
    by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path

    at the end recreate, the service with /path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-start

  • Use a Simlink but this does not play well with the size volume calculation.

    /opt/splunk/bin/splunk stop

    move the index data to the new location

    cp -R /opt/splunk/var/lib/splunk /splunkdata/

    remove the folder

    rm -rf /opt/splunk/var/lib/splunk

    create the symlink

    ln -s /splunkdata/ /opt/splunk/var/lib/splunk
    ls -la /opt/splunk/var/lib

  • Meticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
    http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex

  • The easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.

the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk

/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv  /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine 
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.

I recommend the last method, and redefine SPLUNK_DB

View solution in original post

yannK
Splunk Employee
Splunk Employee

Let's imagine you have a new mount /splunkdata/ and want to use this space.

You have 4 methods to free space on the root "/" partition.

  • A way is to more/reinstall splunk to the new storage
    by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path

    at the end recreate, the service with /path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-start

  • Use a Simlink but this does not play well with the size volume calculation.

    /opt/splunk/bin/splunk stop

    move the index data to the new location

    cp -R /opt/splunk/var/lib/splunk /splunkdata/

    remove the folder

    rm -rf /opt/splunk/var/lib/splunk

    create the symlink

    ln -s /splunkdata/ /opt/splunk/var/lib/splunk
    ls -la /opt/splunk/var/lib

  • Meticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
    http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Moveanindex

  • The easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.

the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk

/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv  /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine 
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.

I recommend the last method, and redefine SPLUNK_DB

mataharry
Communicator

It was quick.

I redefined the SPLUNK_DB and moved my data, I have now 500GB of Storage on the new partition for the indexes.
Later, I will need to add more Partitions, and will use the homePath and coldPath to relocate some indexes on it.

johnklaiber
New Member

Hello, I'm looking to implement this "easiest method" solution and for some reason our latest version of Splunk does not have the "/opt/splunk/splunk-launcher.cfg" file. We are version 7.3.0, has something changed since this original posting?

0 Karma

johnklaiber
New Member

Well, I actually found the answer in documentation and it may be appropriate for the details to be outlined here in this case for others seeking an answer.

Newer versions of Splunk will now have this value edited in:
/opt/splunk/etc/splunk-launch.conf

Cheers!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@johnklaiber This question is 5 years old with an accepted answer. It's also outdated. Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...