Re: Temporary relocating the dispatch folder.

agodoy · ‎05-02-2013

I am trying to move a massive amount of events from the main index to a dedicated index for the sourcetype. I am trying to do this by running a search and ...|collect index=dedicated index sourcetype=abc.

However, it seems like since the dispatch folder is on my / partition I am running out of space. I would like to temporarily move the folder to the same partitions that hosts the indexes since I have plenty of storage.

Any ideas on how to tackle this one?

Thanks

agodoy · ‎05-03-2013

The folder does not have much. I really would suck to do it 1 day at a time for the last 6 months.

Can I rename the main index and then creat another main index or would that mess with Splunk?

yannK · ‎05-03-2013

As long as the index is defined in indexes.conf, you can move and rename it.
So yes.

yannK · ‎05-03-2013

Why not emptying the dispatch folder instead,
Or run your searches over a smaller time range ?

Temporary relocating the dispatch folder.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation