I have to install Splunk on a new Linux machine.
I would like to know if it is possible to install Splunk on a file system and store the information recovered from databases, VMWare and others on another file system different from Splunk installation folder.
Stop Splunk, move the data, change the indexes.conf file to point to the new location. If you're moving not just one index, but the entire $SPLUNKDB directory, you can instead edit the splunk-launch.conf file and modify the SPLUNKDB setting. Then start Splunk up again.
if you want to put all indexes on a different filesystem, you have to modify $SPLUNK_DB variable that you can find in /opt/splunk/etc/splunk-launch.conf.
Otherwise, if you want to put only some indexes, you have to move them in the new location, following some steps:
If you want to do this on a new index, you can do it also by web gui.
Every way you can find a full description in:
On my splunk-launch.conf there are the following entry, I have to add a new entry?
# Version 6.5.0 # Modify the following line to suit the location of your Splunk install. # If unset, Splunk will use the parent of the directory containing the splunk # CLI executable. # # SPLUNK_HOME=C:\Program Files\Splunk # By default, Splunk stores its indexes under SPLUNK_HOME in the # var\lib\splunk subdirectory. This can be overridden # here: # # SPLUNK_DB=C:\wrangler-2.0\build-home\ivory\var\lib\splunk # Splunkd service name SPLUNK_SERVER_NAME=Splunkd # Splunkweb service name SPLUNK_WEB_NAME=splunkweb