Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Amazon AMI is using the root partition to s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Installed an Amazon Ubuntu using the preconfigured splunk AMI.
Splunk is installed on /opt/splunk, with the indexes and the dispatch folder
The problem is that my root "/" partition is very small (2GB), and the indexes are filling it.
in particular /opt/splunk/var/lib/splunk with the indexes.
How to relocate the indexes to a larger partition that I mounted (EBS in my case) ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's imagine you have a new mount /splunkdata/ and want to use this space.
You have 4 methods to free space on the root "/" partition.
A way is to more/reinstall splunk to the new storage
by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path
at the end recreate, the service with/path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-startUse a Simlink but this does not play well with the size volume calculation.
/opt/splunk/bin/splunk stop
move the index data to the new location
cp -R /opt/splunk/var/lib/splunk /splunkdata/
remove the folder
rm -rf /opt/splunk/var/lib/splunk
create the symlink
ln -s /splunkdata/ /opt/splunk/var/lib/splunk
ls -la /opt/splunk/var/libMeticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/MoveanindexThe easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.
the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk
/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.
I recommend the last method, and redefine SPLUNK_DB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's imagine you have a new mount /splunkdata/ and want to use this space.
You have 4 methods to free space on the root "/" partition.
A way is to more/reinstall splunk to the new storage
by example, install splunk on /splunkdata/splunk. if you are using a simple tar installer, it's quick to move, if you are using a rpm install, you have to save the data, uninstall and reinstall on the new path
at the end recreate, the service with/path/to/my/new/splunk/bin/splunk disable boot-start; /path/to/my/new/splunk/bin/splunk enable boot-startUse a Simlink but this does not play well with the size volume calculation.
/opt/splunk/bin/splunk stop
move the index data to the new location
cp -R /opt/splunk/var/lib/splunk /splunkdata/
remove the folder
rm -rf /opt/splunk/var/lib/splunk
create the symlink
ln -s /splunkdata/ /opt/splunk/var/lib/splunk
ls -la /opt/splunk/var/libMeticulously move individual index at a time to a new location (homePath and coldPath in indexes.conf)
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/MoveanindexThe easiest method is to redefine a new base paths SPLUNK_DB for all the indexes.
the defaultSPLUNK_DB point to SPLUNK_HOME/var/lib/splunk
/opt/splunk/bin/splunk stop
# move the indexes data to the new location
mv /opt/splunk/var/lib/splunk /splunkdata/
# edit the launcher to redefine
vi /opt/splunk/splunk-launcher.cfg
# add "SPLUNK_DB=/splunkdata/"
/opt/splunk/bin/splunk start
#then verify the old and new data are searchable.
I recommend the last method, and redefine SPLUNK_DB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was quick.
I redefined the SPLUNK_DB and moved my data, I have now 500GB of Storage on the new partition for the indexes.
Later, I will need to add more Partitions, and will use the homePath and coldPath to relocate some indexes on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I'm looking to implement this "easiest method" solution and for some reason our latest version of Splunk does not have the "/opt/splunk/splunk-launcher.cfg" file. We are version 7.3.0, has something changed since this original posting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I actually found the answer in documentation and it may be appropriate for the details to be outlined here in this case for others seeking an answer.
Newer versions of Splunk will now have this value edited in:
/opt/splunk/etc/splunk-launch.conf
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@johnklaiber This question is 5 years old with an accepted answer. It's also outdated. Please post a new question.
If this reply helps you, Karma would be appreciated.
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Splunk App Dev Community Updates – What’s New and What’s Next
The Latest Cisco Integrations With Splunk Platform!
