Splunk Enterprise

Moving the index database

lbogle
Contributor

Hello Splunkers,
I need to move my indexes on my Linux Indexer (v5.0) over to another location on the box w/ more HD space. I recently read an article regarding moving the Splunk database: http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex

It walks you through moving the index pretty well except for identifying what the DB is exactly. It says cp -rp $SPLUNK_DB/* which I'm guessing is everything under /opt/splunk/var/lib in a default install. Can anyone confirm that?
Thanks for your help.

Tags (2)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

$SPLUNK_DB is simply the default location of the index. All you have to do is move the directory. It actually doesn't matter where, as long as your indexes.conf file is updated from the old location to the new location. However, default indexes are defined relative to $SPLUNK_DB, so you can relocate all of them by modifying that instead of each entry in the indexes.conf file if you want.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

$SPLUNK_DB is simply the default location of the index. All you have to do is move the directory. It actually doesn't matter where, as long as your indexes.conf file is updated from the old location to the new location. However, default indexes are defined relative to $SPLUNK_DB, so you can relocate all of them by modifying that instead of each entry in the indexes.conf file if you want.

0 Karma

lbogle
Contributor

Thanks for the answers everyone!

0 Karma

DaveSavage
Builder

ibogle - we went through the same, but on a W2k8 platform - if you can 'convert' this to *nix speak, you should be good (I think you are correct re the /opt/var/lib path):
For Windows users:
1. Make sure the target drive or directory has enough space available.
Caution: Using mapped network drives for index stores is strongly discouraged and not supported.
2. From a command prompt, go to your target drive and make sure the target directory has the correct permissions, so that the splunkd process can write to files there:
C:\Program Files\Splunk> 😧
D:> mkdir \new\path\for\index
D:> cacls D:\new\path\for\index /T /E /G :F
For more information about determining the user Splunk runs as, review this topic on installing Splunk on Windows.
Note: Windows Vista, 7, Server 2003 and Server 2008 users can also use icacls to ensure directory permissions are correct; this Microsoft TechNet article gives information on specific command-line arguments.
3. Stop Splunk. Navigate to the %SPLUNK_HOME%\bin directory and use the command:

.\splunk stop
Note: You can also use the Services control panel to stop the Splunkd and SplunkWeb services.
4. Copy the existing index filesystem to its new home:
xcopy C:\Program Files\Splunk\var\lib\splunk*.* D:\new\path\for\index /s /e /v /o /k
5. Edit %SPLUNK_HOME%\etc\splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:
SPLUNK_DB=D:\new\path\for\index
Note: If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, the line is commented out, and the # needs to be removed.
6. Start Splunk. Navigate to the %SPLUNK_HOME%\bin directory and use the command:
.\splunk start
The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.
7. You can delete the old index database after verifying that Splunk can read and write to the new location.

0 Karma

DaveSavage
Builder

Sorry - there are quite a few back slashes gone awol in that pasting. Email me and I will send the orig word doc over if you need it..

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...