I have few noisy indexes that I would like to save to another drive on the Splunk Indexer server. What would be the best way to do it? Splunk documentation only has instructions on how to move the whole SPLUNK_DB, but I don't need that...
Should I create a new variable in splunk-launch.conf (say SPLUNK_DB_TIER2) and update my indexes.conf so it looks like this (and will this work?):
[cisco_asa]
coldPath = $SPLUNK_DB_TIER2\cisco_asa\colddb
homePath = $SPLUNK_DB_TIER2\cisco_asa\db
thawedPath = $SPLUNK_DB_TIER2\cisco_asa\thaweddb
Or can I manually specify the path in indexes.conf without using $ SPLUNK_DB like this:
coldPath = "D:\cisco_asa\colddb"
homePath = "D:\cisco_asa\db"
thawedPath = "D:\cisco_asa\thaweddb"
↧