Create an index

Create an index

Splunk ships with an index called main that, by default, holds all your events. Splunk with an Enterprise license lets you add an unlimited number of additional indexes. The main index serves as the default index for any input and search command that doesn't specify an index, although you can change the default. You can add indexes via Splunk Web, Splunk's CLI or indexes.conf.

Splunk searches automatically look through the default index (by default, main) unless otherwise specified. If you have created a new index, or want to search in any index that is not default, you must specify the index in your search:

This searches in the hatch index for the userid=henry.gale.

via Splunk Web

Note: To apply any changes that you make to the indexes, such as editing properties or adding a new index, you must restart Splunk. In Splunk Web, you can restart the Splunk server from Admin > Server: Control Server. Just click Restart Now.

Create a new index

The Admin > Indexes: Create Index page lets you define the properties for a new index. To create a new index, enter:

• A name for the index.
• The maximum size (in MB) of the hot database.
• The maximum size (in MB) of the index.

Note: Index names must consist of only numbers, letters, periods, underscores, and dashes.

If you check Advanced settings, the list of properties expands. Advanced properties include:

• The maximum number of search results.
• The maximum number of warm database directories.
• The maximum number of cold databases open at any given time.
• The frequency that new hot database are to be created.
• The frequency that cold databases are to be frozen.
• The script and directory to archive the index's data.
• The number of concurrently running optimize processes.
• Whether to wait for optimize processes to finish or just kill them.
• The number of extra threads to use during indexing.
• The amount of memory (in MB) to allocate for indexing.
• The number of events to make up a block for block signatures.

After setting the index's properties, click Add. Then, restart Splunk to save and apply your changes.

You can also edit an index at any time by clicking on the index name within the Indexes tab of the Admin section of Splunk Web. Properties that you cannot change are grayed out. To change these properties, use indexes.conf.

via Splunk's CLI

To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.

To add an index, first shutdown Splunk with splunk stop. Then navigate to Splunk's CLI. Then type:

./splunk add index [name]

Note: Do not use capital letters in your index name; this is a known problem that will be fixed.

The add index command brings you to a dialog session. Specify the configurations of your new index:

./splunk add index hatch

Hit enter to accept the default values in parenthesis, or enter your own values.

Note: To apply any changes that you make to the indexes, such as editing properties or adding a new index, you must restart Splunk. If you restart Splunk from the CLI, you are prompted to approve the creation of the new index. To restart without requiring a response (to automatically respond "yes"), type:

./splunk restart --answer-yes 

via indexes.conf

Add a stanza to indexes.conf in $SPLUNK_HOME/etc/system/local. See configuration details and examples in indexes.conf.spec.

Delete an index

To remove any indexes you don't want, use indexes.conf or Splunk's CLI.

via indexes.conf

Remove the index stanza from indexes.conf. Custom indexes are in $SPLUNK_HOME/etc/system/local, or you application directory in $SPLUNK_HOME/etc/system/apps

via the CLI

You can also delete an index through the CLI.

1. ./splunk remove index [name]

</pre>

This command deletes the index from your Splunk instance.

• Was this topic useful?
• Post a comment