Moving your index database

If you need to, you can actually transport your Splunk index database or individual indexes (or parts of an index) to entirely new locations.

This process simply involves the following steps:

  1. Stop Splunk.
  2. Copy the files required for the index.
  3. Unset the Splunk_DB variable.
  4. Reset the Splunk_DB variable (by editing the %SPLUNK_HOME%\etc\splunk-launch.conf file).
  5. Restart Splunk.
  6. Delete the old index folder/files.

You can change the path to your indexes with Splunk Web; however, this method only affects the data written to the index after the path change is made. Splunk Web should really only be used for setting paths to new indexes, which we discussed earlier in this chapter.

Get Mastering Splunk now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial