Add or Remove an index
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Add or Remove an index
You can add or remove indexes from Splunk's CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
Create an index
Splunk ships with an index called main for your event data. Splunk with an Enterprise license lets you add an unlimited number of additional indexes. One of them will serve as the default index for any search command that doesn't include an index:: modifier.
To add an index, navigate to Splunk's CLI. Then type:
# ./splunk add index [name] [directory (optional)]
Please note: do not use capital letters in your index name; this is a known problem that will be fixed.
The optional directory argument lets you set up an index outside of the default $SPLUNK_DB location.
The add index command will bring you to a dialog session where you can specify the configuration of your new index:
./splunk add index hatch add database Please enter the max data size in MBs (40) Please enter the max warm db count (100) Please enter the frozen time out period in secs (188697600) Please enter the max total data size in MBs (40000) Config path: /home/emma/splunk/etc
Hit enter to accept the default values in parenthesis, or enter your own values.
Delete an index
You can also delete an index through the CLI.
# ./splunk remove index [name]
This command will delete the index from your Splunk instance.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.