Getting Data In

Importing Data From One index to my Splunk Enterprise

New Member

Hi guys,

I am trying to import data from an index provided by the instructor of a Splunk training course.

Follow the steps below:

To Import Course Example Data:

Navigate to Settings—>Indexes—>New Index
Create a new index with the desired name
Save the new index
Use file transfer program to transfer the four folders into new index folder within the Splunk OS
    *Nix: /opt/splunk/var/lib/splunk/INDEX_NAME
Search imported data by searching just this index

The file mentioned above has the four folders: colddb, datamodel_summary, db and thaweddb.

After copying all the above files, skipping copying the .bucketManifest and CreationTime files.

The next step I did was restart no splunk.

This procedure did not work. The current size of my index was 0B.

That is, it seems that my Splunk Enterprise (Indexer) did not recognize the index data copied and provided by the instructor.

What can it be?

0 Karma

Esteemed Legend

You realize that INDEX_NAME is a placeholder, right? You have to substitute INDEX_NAME text for the actual name of the index that you created from the GUI.

0 Karma

New Member

Hi @woodcock ,

My INDEX_NAME is in this path in my windows machine: C:\Program Files\Splunk\var\lib\splunk\

And this index folder is the same name that I created in my GUI Splunk Enterprise.

0 Karma


Hi ivialex,
did you created indexes.conf before restart Splunk?
the correct procedure should be:

  • create an indexes.conf or add to an existing one the information about the new index: [sample] homePath = $SPLUNK_DB\sample\db coldPath = $SPLUNK_DB\sample\colddb thawedPath = $SPLUNK_DB\sample\thaweddb
  • create a folder in $SPLUNK_HOME/var/lib/splunk/my_index or in your $SPLUNK_DB
  • copy the four subfolders under my_index
  • give the same grants and ownership of the other indexes
  • restart Splunk


0 Karma

New Member

Hi @gcusello ,

I tried to follow your instructions as bellow:

index definitions

homePath = $SPLUNK_DB\pluralsight_generating_tailored_searches_splunk\db
coldPath = $SPLUNK_DB\pluralsight_generating_tailored_searches_splunk\colddb
thawedPath = $SPLUNK_DB\pluralsight_generating_tailored_searches_splunk\thaweddb
maxDataSize = 100

And yet, it doesn't start splunk service on my windows.

0 Karma


Hi ivialex,
you can see the value of $SPLUNK_DB variable in $SPLUNK_HOME\etc\splunk-launch.conf
usually is commented.
If it's commented you can replace $SPLUNK_DB with $SPLUNK_HOME\var\lib\splunk

Then, don'r use maxDataSize = 100 because in this way you could delete some data.

When you try to restart windows services, use the cmd window with administration grants, in this way you can see if there's any problem.


0 Karma

New Member

Hi @gcusello ,

My local indexes.conf as bellow:

homePath =
coldPath =
thawedPath =

My splunk-launch.conf as bellow:

Version 7.3.2

Modify the following line to suit the location of your Splunk install.

If unset, Splunk will use the parent of the directory containing the splunk

CLI executable.

SPLUNK_HOME=C:\Program Files\Splunk

By default, Splunk stores its indexes under SPLUNK_HOME in the

var\lib\splunk subdirectory. This can be overridden



Splunkd service name SPLUNK_SERVER_NAME=Splunkd

Splunkweb service name SPLUNK_WEB_NAME=splunkweb

The result of the using the cmd window with administration grants as bellow:

C:\Program Files\Splunk\bin>splunk
start --accept-license

Splunk> The Notorious B.I.G. D.A.T.A.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port []: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as
Validated: _audit _internal _introspection _telemetry _thefishbucket edureka_access_combined_wcookie
history main
Checking filesystem compatibility... Done
Checking conf files for problems...
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program
All installed files intact.
Done All preliminary checks passed.

Starting splunk server daemon

Splunkd: Starting (pid 12628)

Timed out waiting for splunkd to

C:\Program Files\Splunk\bin>

And it didn't work fine. My instrutor send me the .csv file to import data. I believe that is conflict between data system because are diferrent operate system.
Then I will try to install Splunk on a Linux for example, on a virtual machine and try the same procedure to see if this problem is due to having exported the data on an operating system (Linux or Mac) and trying to import on a Windows.

0 Karma


Hi ivialex,
this means that the $SPLUNK_DB is the default one.

Please, check you indexes.conf files, probably you have your index in more than one file.


0 Karma


Have you contacted the instructor?

If this reply helps you, Karma would be appreciated.
0 Karma

New Member

Hi @richgalloway . Yes, I send an email to my instrutor. He reply my asks and I'll try his instructions.

0 Karma


Did you make sure the files have the same permissions? For example owned by the splunk user.

0 Karma

New Member

Hi @anthonymelita . I checked and I'll try to import and start with the admin user. I create the index, after I stop my service in Windows. Then, I delete all folder inside my index. After I copy the four new folder and start the service. But, it didn't work too.

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...