Working with multiple indexes
An index
in Splunk is a storage pool for events, capped by size, time, or both. By default, all events will go to the index specified by defaultDatabase, which is called main but lives in a directory called defaultdb.
Directory structure of an index
Each index occupies a set of
directories on disk. By default, these directories live in $SPLUNK_DB, which, by default, is located in $SPLUNK_HOME/var/lib/splunk. Looking at the following stanza for the main index:
[main] homePath = $SPLUNK_DB/defaultdb/db coldPath = $SPLUNK_DB/defaultdb/colddb thawedPath = $SPLUNK_DB/defaultdb/thaweddb maxHotIdleSecs = 86400 maxHotBuckets = 10 maxDataSize = auto_high_volume
If our Splunk installation lives at /opt/splunk, the index main is rooted at the path /opt/splunk/var/lib/splunk/defaultdb.
To change your storage location, either modify the value of SPLUNK_DB in $SPLUNK_HOME/etc/splunk-launch.conf or set absolute paths in indexes.conf.
Note
splunk-launch.conf cannot be controlled...
