Deployment Architecture

Is it possible to store a recovered index database in a new file system separate from the Splunk installation folder?

Path Finder


I have to install Splunk on a new Linux machine.

I would like to know if it is possible to install Splunk on a file system and store the information recovered from databases, VMWare and others on another file system different from Splunk installation folder.


0 Karma


if you want to put all indexes on a different filesystem, you have to modify $SPLUNK_DB variable that you can find in /opt/splunk/etc/splunk-launch.conf.

Otherwise, if you want to put only some indexes, you have to move them in the new location, following some steps:

  • stop Splunk
  • modify in $SPLUNK_HOME/etc/apps/yourapp/local/indexes.conf the index location (db, colddb thaweddb)
  • copy files and directories from $SPLUNK_HOME/var/lib/splunk/myindex to newlocation/myindex
  • restart Splunk. if you want, you could also put hot and work buckets in a filesystem and cold buckets in another one (less performing and less expensive) using different locations in indexes.conf.

If you want to do this on a new index, you can do it also by web gui.

Every way you can find a full description in:


0 Karma

Path Finder

On my splunk-launch.conf there are the following entry, I have to add a new entry?

#   Version 6.5.0

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
# SPLUNK_HOME=C:\Program Files\Splunk

# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var\lib\splunk subdirectory.  This can be overridden
# here:
# SPLUNK_DB=C:\wrangler-2.0\build-home\ivory\var\lib\splunk
# Splunkd service name

# Splunkweb service name
0 Karma

Splunk Employee
Splunk Employee

From here:

Stop Splunk, move the data, change the indexes.conf file to point to the new location. If you're moving not just one index, but the entire $SPLUNK_DB directory, you can instead edit the splunk-launch.conf file and modify the SPLUNK_DB setting. Then start Splunk up again.


0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...