Solved: Moving the _audit index

peter_gianusso · ‎11-11-2013

I need to move just the _audit index from the c drive to a d drive on a windows server.

How do I do that? I found an article on pre-6.0 but can't find anything for Splunk 6.0

jtrucks · ‎11-11-2013

create $SPLUNK_HOME/etc/system/local/indexes.conf and add these lines:

[_audit]
homePath   = $SPLUNK_DB/audit/db
coldPath   = $SPLUNK_DB/audit/colddb
thawedPath = $SPLUNK_DB/audit/thaweddb
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

Change the paths as you wish. Stop splunk, copy/move the files to the new location, start splunk.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎11-11-2013

create $SPLUNK_HOME/etc/system/local/indexes.conf and add these lines:

[_audit]
homePath   = $SPLUNK_DB/audit/db
coldPath   = $SPLUNK_DB/audit/colddb
thawedPath = $SPLUNK_DB/audit/thaweddb
tstatsHomePath = volume:_splunk_summaries/audit/datamodel_summary

Change the paths as you wish. Stop splunk, copy/move the files to the new location, start splunk.

--
Jesse Trucks
Minister of Magic

Moving the _audit index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation