Spread our blog

Change the splunk index database location

In this post, we are covering the procedure to change the location of splunk index database.

Splunk gives you the option to move the index database from one location to another, the default location of splunk database is $SPLUNK_HOME/var/lib/splunk . You can change the location of index database by changing the path definition of SPLUNK_DB through the command-line interface(CLI). Although you can use Splunk Web to change the locations of individual indexes or index volumes, you cannot use it to change the default storage location of indexes, SPLUNK_DB.

CAUTION: Before proceeding , make sure the target file system has at least 1.2 times the size of the total amount of raw data that you are planning to index.

Step i) Create the target directory (on your indexer) with write permissions for the user that Splunk Enterprise runs as. For example, considering splunk runs as a ‘root’ user.

# mkdir /tmp/splunk_db

Step ii) Stop your indexer:

# cd $SPLUNK_HOME/bin
# ./splunk stop

Step iii) Copy the index file system to the target directory:

# cp -r $SPLUNK_DB/* /tmp/splunk_db

Below is an image for your further reference,

Capture1

Step iv) Unset the SPLUNK_DB environment variable:

# unset SPLUNK_DB

Step v) Change the SPLUNK_DB attribute in $SPLUNK_HOME/etc/splunk-launch.conf to specify the new index directory:

# cd /opt/splunk/etc

Capture2

# vim splunk-launch.conf

Capture4

NOTE: Don’t forget to remove the ‘#’ preceding to SPLUNK_DB, if you are changing SPLUNK_DB path for the first time.

Step vi) Start the indexer:

# cd $SPLUNK_HOME/bin
# ./splunk start

step vii) Verify splunk is able to access the new index database location:

Login to Splunk Web, and create a new index

Capture5

Go to the new index database and verify,

Capture7

Kudos!! The splunk indexer starts picking up data from where it left off, using the new location to read/write data.

NOTE: You can delete the old index database once you are sure that the indexer can read and write to the new location.

Thanks for reading, keep following our blog to get more interesting posts related to SPLUNK!!!

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
+1
+1
3
+1
+1

Spread our blog
Previous articleSplunk Btool
Next articleUsage of Splunk EVAL Function : SPLIT
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here