Monitoring Splunk

Change var folder of Splunk to another partition

sigma
Path Finder

Hi,

I installed Splunk in a linux server on /opt/splunk. The server has two disks, one 50 GB (sdb1) and another 6 TB (sda1). I want to save /opt/splunk/var  folder (and all of its contents) of Splunk to /splunk/var (sda1) which second huge partition is mounted.

Actually I want to separate etc and var in case of partition. etc remain on sdb1 and var be in sda1.

I need a detailed solution
Thanks

Labels (2)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sigma ,

as @richgalloway said, on Linux usually Splunk is installed on /opt and it's a best practice to ha file system separated from root and this location is configured in an enviromental variable called %SPLUNK_HOME.

For data it's possible to setup a variable (called $SPLUNK_DB) that indicates the location of the file system containing the data folders. not the $SPLUNK_HOME/var folder, that's a best practice to set up in a different and larger file system.

So you can go in $SPLUNK_HOME/etc/splunk-launch.conf and configure $SPLUNK_HOME variable for your system.

Obviously this action is only for Indexers or stand-alone Splunk systems, not for the other roles.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @sigma ,

as @richgalloway said, on Linux usually Splunk is installed on /opt and it's a best practice to ha file system separated from root and this location is configured in an enviromental variable called %SPLUNK_HOME.

For data it's possible to setup a variable (called $SPLUNK_DB) that indicates the location of the file system containing the data folders. not the $SPLUNK_HOME/var folder, that's a best practice to set up in a different and larger file system.

So you can go in $SPLUNK_HOME/etc/splunk-launch.conf and configure $SPLUNK_HOME variable for your system.

Obviously this action is only for Indexers or stand-alone Splunk systems, not for the other roles.

Ciao.

Giuseppe

richgalloway
SplunkTrust
SplunkTrust

Splunk has provision for two mount points: $SPLUNK_HOME (/opt/splunk, by default) and $SPLUNK_DB (/opt/splunk/var/run/splunk by default).  Breaking the file system at other points is possible using links, but doing so is uncommon and not without risks.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...