How to change the data storage folder path - Security Business -Macnica

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

Specifications/Technical Information

Specifications/Technical Information
- Splunk Enterprise features
- Splunk Technology Blog

solution

solution

User stories

support

Seminar content

Evaluation machine application/FAQ

Application for evaluation machine
- Splunk Evaluation Download
FAQ

Document request

inquiry

Event/Seminar

video on demand

How to change the data save destination folder path

release date: 2016-02-29

last updated: 2016-07-07

version: Splunk Enterprise 6.3.2

Overview: How to change the directory where Splunk's index data is stored

Reference information

http://docs.splunk.com/Documentation/Splunk/6.3.2/Indexer/Moveanindex

content

The procedure for changing the Splunk index data storage destination is as follows.

It is recommended to check the operation in the verification environment once before implementing it in the production environment. Please note that this does not apply to cluster configurations.

Linux environment

Make sure there is enough free space on the destination file system that is at least 1.2 times the total size of the raw data.

If necessary, create a directory in which to store your index data and make sure it has access for the Splunk startup user.

example:

mkdir /home/splunkdata
chown -R splunk:splunk /home/splunkdata
chmod +rw -R /home/splunkdata

Stop Splunk.

example:

/opt/splunk/bin/splunk stop

* $SPLUNK_HOME is the installation directory of Splunk. For default installation: /opt/splunk

Move the data under the directory created in 2.

example:

mv /opt/splunk/var/lib/splunk/* /home/splunkdata/

Clear environment variables.

example:

unset SPLUNK_DB

Edit $SPLUNK_HOME\etc\splunk-launch.conf to specify the new data save destination.

example:

vi /opt/splunk/etc/splunk-launch.conf

Add SPLUNK_DB = /home/splunkdata.

*Please make a backup of splunk-launch.conf in advance if necessary.

Start Splunk.

example:

/opt/splunk/bin/splunk start>

Access Splunk via a web browser and confirm that the data imported before work can be searched and that new data is also imported.

Windows environment

Make sure there is enough free space on the drive or directory you want to change.

*Please note that using a network drive as the save destination is not recommended or supported.

If necessary, create a directory in which to store your index data and make sure it has access for the Splunk startup user.

example:

C:\Program Files\Splunk> D:D:\> mkdir \new\path\for\indexD:\> cacls D:\new\path\for\index /T /E /G:F

Stop Splunk.

example:

C:\"Program Files"\Splunk/bin/splunk stop

* $SPLUNK_HOME is the installation directory of Splunk. For default installation: C:\"Program Files"\Splunk

* It is also possible to stop the service from the control panel.

Copy the index data under the directory created in 2.

example:

xcopy "C:\Program Files\Splunk\var\lib\splunk\*.*" D:\new\path\for\index /s /e /v /o /k

* $SPLUNK_HOME is the installation directory of Splunk. For default installation: C:\"Program Files"\Splunk

* It is also possible to stop the service from the control panel.

Clear environment variables.

example:

set SPLUNK_DB=

Edit $SPLUNK_HOME\etc\splunk-launch.conf to specify the new data save destination.

Example: Add the following in the file.

SPLUNK_DB=D:\new\path\for\index

*Please make a backup of splunk-launch.conf in advance if necessary.

Start Splunk.

Example: Add the following in the file.

C:\"Program Files"\Splunk/bin/splunk start

Access Splunk via a web browser and confirm that the data imported before work can be searched and that new data is also imported.

that's all

to previous page

In charge of Macnica Splunk Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：splunk-sales@macnica.co.jp

Mon-Fri 8:45-17:30