Solved: Moving the _audit index

peter_gianusso · ‎11-11-2013

I need to move just the _audit index from the c drive to a d drive on a windows server.

How do I do that? I found an article on pre-6.0 but can't find anything for Splunk 6.0

jtrucks · ‎11-11-2013

create $SPLUNK_HOME/etc/system/local/indexes.conf and add these lines:

[_audit]
homePath   = $SPLUNK_DB/audit/db
coldPath   = $SPLUNK_DB/audit/colddb
thawedPath = $SPLUNK_DB/audit/thaweddb
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

Change the paths as you wish. Stop splunk, copy/move the files to the new location, start splunk.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎11-11-2013

create $SPLUNK_HOME/etc/system/local/indexes.conf and add these lines:

[_audit]
homePath   = $SPLUNK_DB/audit/db
coldPath   = $SPLUNK_DB/audit/colddb
thawedPath = $SPLUNK_DB/audit/thaweddb
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

Change the paths as you wish. Stop splunk, copy/move the files to the new location, start splunk.

--
Jesse Trucks
Minister of Magic

Moving the _audit index

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Moving the _audit index

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...