First stop splunk.
cd into your splunk/bin directory
./splunk stop
Create a new folder (ex. /mnt/splunk_data).
cp -rp splunk/var/lib/splunk/* /mnt/splunk_data/
Change SPLUNK_DB to point to /mnt/splunk_data.
vi splunk/etc/splunk-launch.conf
Find SPLUNK_DB in the file and change the path.
SPLUNK_DB=/mnt1/splunk_data
You may also want to change the retention policy and the max storage size.
// 30 days
frozenTimePeriodInSecs = 2592000
// 90G
maxTotalDataSizeMB = 90000
It's recommended to set the size using the following formula:
Total storage = daily average rate x retention policy x 1/2 = 15 Gig
Start Splunk.
./splunk start
To tune Splunk settings, check:
http://docs.splunk.com/Documentation/Splunk/4.3.1/Installation/CapacityplanningforalargerSplunkdeployment
No comments:
Post a Comment