Splunk Enterprise

Moving the index database

lbogle
Contributor

Hello Splunkers,
I need to move my indexes on my Linux Indexer (v5.0) over to another location on the box w/ more HD space. I recently read an article regarding moving the Splunk database: http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex

It walks you through moving the index pretty well except for identifying what the DB is exactly. It says cp -rp $SPLUNK_DB/* which I'm guessing is everything under /opt/splunk/var/lib in a default install. Can anyone confirm that?
Thanks for your help.

Tags (2)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

$SPLUNK_DB is simply the default location of the index. All you have to do is move the directory. It actually doesn't matter where, as long as your indexes.conf file is updated from the old location to the new location. However, default indexes are defined relative to $SPLUNK_DB, so you can relocate all of them by modifying that instead of each entry in the indexes.conf file if you want.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

$SPLUNK_DB is simply the default location of the index. All you have to do is move the directory. It actually doesn't matter where, as long as your indexes.conf file is updated from the old location to the new location. However, default indexes are defined relative to $SPLUNK_DB, so you can relocate all of them by modifying that instead of each entry in the indexes.conf file if you want.

0 Karma

lbogle
Contributor

Thanks for the answers everyone!

0 Karma

DaveSavage
Builder

ibogle - we went through the same, but on a W2k8 platform - if you can 'convert' this to *nix speak, you should be good (I think you are correct re the /opt/var/lib path):
For Windows users:
1. Make sure the target drive or directory has enough space available.
Caution: Using mapped network drives for index stores is strongly discouraged and not supported.
2. From a command prompt, go to your target drive and make sure the target directory has the correct permissions, so that the splunkd process can write to files there:
C:\Program Files\Splunk> 😧
D:> mkdir \new\path\for\index
D:> cacls D:\new\path\for\index /T /E /G :F
For more information about determining the user Splunk runs as, review this topic on installing Splunk on Windows.
Note: Windows Vista, 7, Server 2003 and Server 2008 users can also use icacls to ensure directory permissions are correct; this Microsoft TechNet article gives information on specific command-line arguments.
3. Stop Splunk. Navigate to the %SPLUNK_HOME%\bin directory and use the command:

.\splunk stop
Note: You can also use the Services control panel to stop the Splunkd and SplunkWeb services.
4. Copy the existing index filesystem to its new home:
xcopy C:\Program Files\Splunk\var\lib\splunk*.* D:\new\path\for\index /s /e /v /o /k
5. Edit %SPLUNK_HOME%\etc\splunk-launch.conf to reflect the new index directory. Change the SPLUNK_DB attribute in that file to point to your new index directory:
SPLUNK_DB=D:\new\path\for\index
Note: If the line in the configuration file that contains the SPLUNK_DB attribute has a pound sign (#) as its first character, the line is commented out, and the # needs to be removed.
6. Start Splunk. Navigate to the %SPLUNK_HOME%\bin directory and use the command:
.\splunk start
The Splunk server picks up where it left off, reading from, and writing to, the new copy of the index.
7. You can delete the old index database after verifying that Splunk can read and write to the new location.

0 Karma

DaveSavage
Builder

Sorry - there are quite a few back slashes gone awol in that pasting. Email me and I will send the orig word doc over if you need it..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...