indexes.conf

indexes.conf

Indexes.conf controls index settings including archiving, retirement, path and tuning parameters.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/indexes.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/indexes.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

indexes.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for an indexes.conf file.  Use this file to configure 
# Splunk's indexes and their properties.
#
# There is an indexes.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place an indexes.conf in your own custom bundle directory.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
#
# IMPORTANT:  You can drastically affect your Splunk installation by changing these settings.  
# Consult technical support (support@splunk.com) if you are not sure how to configure this file.
#
# DO NOT change the attribute QueryLanguageDefinition without consulting technical support.
#******************************************************************************	
# GLOBAL OPTIONS
# These options affect every index
#******************************************************************************	
sync = <N non-negative number>
	* The index processor will attempt to sync the index every N events. 
	* Set to 0 to disable.
	* Defaults to 0.
maxQueryIds = <non-negative number>
  	* The maximum number of IDs a search will attempt to resolve in a single query. 
   	* Defaults to 10000000.
  		* This is a good value for 32 bit systems.
		* You can raise this setting for 64bit installations with lots of RAM.
defaultDatabase = <database name>
  	* If no index is specified during search, Splunk searches default database. 
  	* Also the database displays by default on the homepage.
  	* Defaults to main.
  	
queryLanguageDefinition = <path to file>
  	* The path to the search language definition file.
  	* DO NOT EDIT THIS SETTING.
  	* Defaults to $SPLUNK_HOME/etc/searchLanguage.xml.
blockSignatureDatabase = <database name>
  	* This is the database that will be used to store block signatures of events
  	* Defaults to _blocksignature.
#******************************************************************************
# PER INDEX OPTIONS
# These options may be set under an [$INDEX] entry 
#******************************************************************************
homePath = <path on server>
   	* The path that contains the hot and warm databases and fields for the index. 
   	* Databases that are warm have a handle open to them at all times in splunkd.
   	* CAUTION: Path MUST be writable.
coldPath = <path on server>
   	* The path that contains the cold databases for the index. 
   	* Cold databases are opened as needed when searching.
   	* CAUTION: Path MUST be writable.
   	
thawedPath = <path on server>
   	* The path that contains the thawed (resurrected) databases for the index.
# The following options can be set either per index or at the top of the file as defaults for all indexes.
# Defaults set at the top of the file are overridden if set on a per-index basis.
maxResults = <non-negative number>
   	* The maximum number of results to fetch for a query. 
   	* This is a hard-cap for the maxresults search directive.
   	* Defaults to  500000 for 64 bit; 50000 for 32 bit.
maxWarmDBCount = <non-negative number>
   	* The maximum number of warm db_N_N_N directories.
   	* All warm DBs are in the <homePath> for the index. 
   	* Warm DBs are kept in open state.
   	* Defaults to 300.
maxColdDBCount = <non-negative number>
   	* The maximum number of open cold databases at any given time.
   	* THIS IS NOT the total number of cold databases. 
   	* During search, splunkd keeps an LRU cache of all open cold DBs; 
     this number controls the size of that cache.
    * Defaults to 10.
maxTotalDataSizeMB = <non-negative number>
   	* The maximum size of an index (in MB). 
   	* If an index grows larger, the oldest data is frozen.
   	* Defaults to 500000.
rotatePeriodInSecs = <non-negative number>
   	* Frequency for checking to see if a new hot DB needs to be created.
   	* Also the frequency to check if there are any cold DBs that need to be frozen.
   	* Defaults to 60.
frozenTimePeriodInSecs = <non-negative number>
  	* This number controls when cold DBs roll to frozen.
   	* It is the number of seconds after which indexed data should be erased.
   	* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs before it will roll.
   	* frozenTimePeriodInSecs will be frozen the next time splunkd checks.
   	* Defaults to 188697600.
warmToColdScript = <$script> 
    * Specify a script to run when moving data from warm to cold. 
    * The script must accept two variables:
       * first, the warm directory to be rolled to cold.
       * second, the destination in the cold path.
    * You only need to set this if you store warm and cold dbs on separate paritions.
    * Please contact Splunk Support if you need help configuring this setting.
    * Defaults to empty.
coldToFrozenScript = <$script $DIR>
  	* Must take in two variables:  the script to run and the path to the directories to be frozen. 
   	* Splunk ships with two exporting scripts: 
     compressedExport.sh - Export with tsidx files compressed as gz.
     flatfileExport.sh - Export as a flat text file.
    * Defaults to (echo $DIR).
compressRawdata = <true|false>
   	* If set to true, Splunk writes raw data out as compressed gz files.
   	* If set to false, Splunk will write data to an uncompressed raw file.
   	* Defaults to true.
maxConcurrentOptimizes = <number of concurrent optimize processes that can be run>
   	* The number of concurrent optimize processes that can be run against the hot DB.
   	* This number should be increased if: 
     1. There are always many small tsidx files in the hot db.
     2. After rolling, there are many tsidx files in warm or cold db.
waitForOptimize = < 0 = no, !0 = yes > 
   	* Wait to roll until optimize processes finish (!0) or just kill them (0).
   	* If you are seeing a big pause in indexing or searching during rolling set this to 0.
maxDataSize = <non-negative number>
   	* The maximum size in MBs of the hot DB.
	* The hot DB will grow to this size before it is rolled out to warm.
   	* Do not increase the default setting unless Splunk is running in 64bit mode.
   	* Defaults to 750.
     
indexThreads = <non-negative number>
   * The number of extra threads to use during indexing. 
   * This number should not be set higher than the number of processors in the box. 
   * If splunkd is also doing parsing and aggregation, the number should be lower than the total 
    number of processors minus two.
   * Defaults to 0.
maxMemMB = <non-negative number>
   * The amount of memory to allocate for indexing. 
   * This amount of memory will be allocated PER INDEX THREAD.
   * OR If indexThreads is set to 0, once per index.
   * IMPORTANT:  Calculate this number carefully.
    * splunkd will crash if you set this number higher than what is available.
   * Defaults to 50.
   
blockSignSize = <non-negative number>
   * Controls how many events make up a block for block signatures. 
   * If it is set to 0 block signing is disabled for this index.
   * Defaults to 0.
   
#******************************************************************************    
# Advanced memory tuning parameters.  Do not alter these without contacting Splunk Support. 
# Use maxMemMB to control memory usage.
#******************************************************************************
maxTermChars = <non-negative number>
 	* Defaults to 2097152.
   
maxTerms = <non-negative number> 
	* Defaults to 131072.
 
maxPostings = <non-negative number> 
	* Defaults to 2097152.
 
maxValues = <non-negative number> 
	* Defaults to 65536.

indexes.conf.example

# This file contains an example indexes.conf.  Use this file to configure indexing properties.
#
# There is an indexes.conf in the default directory ($SPLUNK_HOME/etc/bundles/default/). 
# To set custom configurations, place an indexes.conf in your own custom bundle directory.
# The following example sets up a new default index, called "hatch."
defaultDatabase = hatch
[hatch]
homePath   = $SPLUNK_DB@OsDirSep@hatchdb@OsDirSep@db
coldPath   = $SPLUNK_DB@OsDirSep@hatchdb@OsDirSep@colddb
thawedPath = $SPLUNK_DB@OsDirSep@hatchdb@OsDirSep@thaweddb
indexThreads = 1
# Max amount of physical memory (in megabytes) to use for a given index
maxMemMB = 200
maxDataSize = 10000
# The following example changes the default amount of space and memory Splunk's indexes use.
maxTotalDataSizeMB = 650000
maxMemMB = 75
# The following example changes the time data is kept around by default.
# It also sets an export script.  NOTE: You must edit this script to set export location before 
# running it.
maxWarmDBCount = 200
maxColdDBCount = 5
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenScript = compressedExport.sh

• Was this topic useful?
• Post a comment