I've been unable to find this answer directly, but I think I've read between the lines of other questions/answers, but want to make sure. I have one fairly large index that is chewing up the majority of all available space on H: called Core. I had a H: for Hot and I: for Cold buckets going out of the gate, but I didn't know enough about splunk to know how to set it up correctly. I would like to move all my existing cold buckets from H: to I: I believe these are the steps: Stop Splunk copy each colddb directory from H:/Splunk/{index name}/colddb to I:/Splunk/{Index name}/colddb copy indexes.conf from c:/program files/splunk/etc/system/default to c:/program files/splunk/etc/local edit indexes.conf in c:/program files/splunk/etc/local and change: index definitions [main] homePath = $SPLUNK_DB/defaultdb/db coldPath = $SPLUNK_DB/defaultdb/colddb thawedPath = $SPLUNK_DB/defaultdb/thaweddb to [main] homePath = $SPLUNK_DB/defaultdb/db coldPath = I:/SPLUNK/defaultdb/colddb thawedPath = I:/SPLUNKdefaultdb/thaweddb Don't have any thaweddb data, so don't need to copy any data Save restart splunk *Not sure if I can use "defaultdb" in I:/splunk/defaultdb will work since it doesn't appear to be valid variable syntax, but it will need to be a variable to work since defaultdb needs to change for each of my index names. ... View more