Create or Delete Indexes (Splunk Professional)
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Create or Delete Indexes (Splunk Professional)
The Splunk Server ships with a single index named main for your event data. Splunk Professional lets you add an unlimited number of additional indexes. One of them will serve as the default index for any search command that doesn't include an index:: modifer.
Create an index
# splunk add index create [name] [directory]
Do not use capital letters in your index name; this is a known problem that will be fixed.
The optional directory argument lets you set up an index outside of the default $SPLUNK_DB location.
Delete an index
# splunk remove index [name]
Display list of indexes
# splunk list index
Change the default index
# splunk set default-index //index_name//
multiIndexer.xml
You can also view or edit index configurations manually in $SPLUNK_HOME/etc/myinstall/pluginConfs/multiIndexer.xml . This is the entry for the main index as installed.
<database>
<name>main</name>
<dbHomePath>$$SPLUNK_DB]]/defaultdb/db</dbHomePath>
<coldDBPath>$$SPLUNK_DB]]/defaultdb/colddb</coldDBPath>
<tempPath>/tmp</tempPath>
<maxWarmDBCount>300</maxWarmDBCount>
<maxColdDBCount>10</maxColdDBCount>
<frozenTimePeriodInSecs>15552000</frozenTimePeriodInSecs>
<!-- ~6months; data older than this in the cold db will be rolled out -->
<rotatePeriodInSecs>300</rotatePeriodInSecs>
<maxDataSize>$$MAX_DATABASE_SIZE_MBYTES]]</maxDataSize>
<maxTermChars>2097152</maxTermChars>
<maxTerms>131072</maxTerms>
<maxPostings>2097152</maxPostings>
<maxValues>65536</maxValues>
<coldToFrozenScript>echo $DIR</coldToFrozenScript>
<compressRawdata>true</compressRawdata>
</database>
Move Indexes to Another Location
WARNING: Do not try to break up and move parts of an index filesystem manually. If you need to subdivide an existing index, contact Splunk Support for assistance.
To configure the Splunk Server to place its indexes on a different filesystem, follow these instructions. We'll use the example destination /foo/bar in the instructions below.
First, make sure the target filesystem has enough space - at least 1.2 times the size of the total amount of raw data you plan to index.
Second, make sure the target directory has the correct permissions so that your splunkd process will
be able to write to files there.
# mkdir /foo/bar # chown splunk /foo/bar/ # chmod 777 /foo/bar/
When the new index home is ready, stop the server if it is running.
# splunk stop
Copy the existing index filesystem to its new home.
# cp -r $SPLUNK_DB/* /foo/bar/
Edit your setSplunkEnv file.
# vi $SPLUNK_HOME/bin/setSplunkEnv
Inside setSplunkEnv, change this variable to point to your new index directory.
SPLUNK_DB=/foo/bar
Start the server.
# splunk start
The Splunk Server should pick up where it left off, reading from and writing to the new copy of its old index filesystem.
Save Your Index as a Backup and Start a New One
Stop the server if it is running.
# splunk stop
Move the existing index to another directory.
# cp -r $SPLUNK_DB/* /foo/bar/
Erase the live copy of the existing index.
# splunk clean
Start the server again.
# splunk start
The Splunk Server will begin building a new index.
Switch to an Archived Index
Stop the server if it is running.
# splunk stop
Erase the live copy of the existing index (or save it as shown above.)
# splunk clean
Move the archived index into place.
# cp -r /foo/bar/* $SPLUNK_DB/
Start the server again.
# splunk start
The Splunk Server will load and use the archived index, along with its Saved Splunks and tags.
When you switch the Splunk Server to use a different index directory, your Saved Splunks, source types, tags and user accounts (Splunk Professional) will also switch to those in the index you use. These values are stored in the hashDb directory for each index. You cannot yet exchange hashDb values among different index filesystems.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.