About managing indexes

About managing indexes

When you add data to Splunk, Splunk processes it and stores it in an index. By default, data you feed to Splunk is stored in the main index, but you can create and specify other indexes for Splunk to use for different data inputs.

Indexes are stored in databases, which are located in $SPLUNK_HOME/var/lib/splunk. A database is a directory named db_<starttime>_<endtime>_<seq_num>. An index is a collection of database directories.

In addition to the main index, Splunk comes preconfigured with a number of internal indexes. Internal indexes are named starting with an underscore (_). The internal indexes store audit, indexing volume, Splunk logging, and other data. You can see a full list of indexes in Splunk Web if you click on the Manager link in the upper right hand of Splunk Web and then click Indexes:

• main: the default Splunk index. All processed data is stored here unless otherwise specified.
• splunklogger: Splunk keeps track of its internal logs in this index.
• _internal: this index includes metrics from Splunk's processors.
• sampledata: a small amount of sample data is stored here for training purposes.
• _thefishbucket: internal information on file processing.
• _audit: events from the file system change monitor, auditing, and all user search history.

Read on in this section for information about ways to manage the indexing process, including:

• Setting up multiple indexes, moving indexes, removing index data
• Managing disk usage by limiting index size or configuring segmentation

If you're interested in the indexing process

Refer to:

• The section How indexing works in this manual.
• The section Set up and use summary indexes in the Knowledge Manager manual, for information on working with extremely large datasets.
• The topic about Understanding buckets on the Community Wiki.
• The topic about Search performance on the Community Wiki.

• Was this topic useful?
• Post a comment