Monitoring Splunk

Moving to new hard drive space


So I've seen many posts that seem to cover parts of this but here's what I'm looking for:

have a single instance of Splunk running on a physical server with 1TB of HD. Don't have enough space to hold the required amout of data so out network team has added me to the SAN and given me 2 TB. So now I have a 😧 drive where Splunk is installed and also the Data, and an E: Drive that is empty.

What is the best way to distribute this space so I can maximize the historical searching I can do as well as get best performance?

I'm a little fuzzy on the hot/warm/cold buckets concept as I only currently have 1 area defined to put everything...



Found enough detail in the manual to do the move myself. It involves shutting down Splunk, moving the files, editing the configuration prior to restarting splunk to look for the data in the new location....

99% complete as there are still a few files (not huge database) that are being updated in old path but I can live with that. the core database files are now collecting on the new drive.

0 Karma


Did you complete this? I have to do something similar now and am curious about how this went and what you chose to do.

0 Karma


this documentation topic explains how indexes/buckets work overall, it might be helpful in making your decision:

this topic is about performance of search vs indexing:

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...