Deployment Architecture

Is it possible to store a recovered index database in a new file system separate from the Splunk installation folder?

Path Finder


I have to install Splunk on a new Linux machine.

I would like to know if it is possible to install Splunk on a file system and store the information recovered from databases, VMWare and others on another file system different from Splunk installation folder.


0 Karma


if you want to put all indexes on a different filesystem, you have to modify $SPLUNK_DB variable that you can find in /opt/splunk/etc/splunk-launch.conf.

Otherwise, if you want to put only some indexes, you have to move them in the new location, following some steps:

  • stop Splunk
  • modify in $SPLUNK_HOME/etc/apps/yourapp/local/indexes.conf the index location (db, colddb thaweddb)
  • copy files and directories from $SPLUNK_HOME/var/lib/splunk/myindex to newlocation/myindex
  • restart Splunk. if you want, you could also put hot and work buckets in a filesystem and cold buckets in another one (less performing and less expensive) using different locations in indexes.conf.

If you want to do this on a new index, you can do it also by web gui.

Every way you can find a full description in:


0 Karma

Path Finder

On my splunk-launch.conf there are the following entry, I have to add a new entry?

#   Version 6.5.0

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
# SPLUNK_HOME=C:\Program Files\Splunk

# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var\lib\splunk subdirectory.  This can be overridden
# here:
# SPLUNK_DB=C:\wrangler-2.0\build-home\ivory\var\lib\splunk
# Splunkd service name

# Splunkweb service name
0 Karma

Splunk Employee
Splunk Employee

From here:

Stop Splunk, move the data, change the indexes.conf file to point to the new location. If you're moving not just one index, but the entire $SPLUNKDB directory, you can instead edit the splunk-launch.conf file and modify the SPLUNKDB setting. Then start Splunk up again.


0 Karma