indexes.conf

indexes.conf

The following are the spec and example files for indexes.conf.

indexes.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains all possible options for an indexes.conf file.  Use this file to configure 
# Splunk's indexes and their properties.
#
# There is an indexes.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an indexes.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 
# indexes.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
#
# CAUTION:  You can drastically affect your Splunk installation by changing these settings.  
# Consult technical support (http://www.splunk.com/page/submit_issue) if you are not sure how 
# to configure this file.
#
# DO NOT change the attribute QueryLanguageDefinition without consulting technical support.

#******************************************************************************	
# GLOBAL OPTIONS
# These options affect every index
#******************************************************************************	

sync = <integer>
* The index processor syncs events every <integer> number of events.
* Must be non-negative.
* Set to 0 to disable.
* Defaults to 0.

defaultDatabase = <database name>
* If no index is specified during search, Splunk searches default database. 
* Also the database displays by default on the homepage.
* Defaults to main.
  	
queryLanguageDefinition = <path to file>
* The path to the search language definition file.
* DO NOT EDIT THIS SETTING.
* Defaults to $SPLUNK_HOME/etc/searchLanguage.xml.

blockSignatureDatabase = <database name>
* This is the database that stores block signatures of events.
* Defaults to _blocksignature.

memPoolMB = <number or "auto">
* Specifying "auto" or an invalid value will cause Splunk to autotune this param based on your system
* How much memory is given to indexer memory pool that restricts number of outstanding events in the indexer at any given time
* Has to be greater than 0 and has a maximum of 1048576 (which corresponds to 1 TB)
* Setting this too high may lead to splunkd memory usage going up substantially
* Setting this too low may degrade splunkd indexing performance
* Please only set this value if you are an expert user or are advised by Splunk Support
* CARELESSNESS IN SETTING THIS MAY LEAD TO PERMANENT BRAIN DAMAGE OR LOSS OF JOB

indexThreads = <number or "auto">
* Specifying "auto" or an invalid value will cause Splunk to autotune this param based on your system
* The number of threads to use for indexing
* The number has to be at least 1 and at most 16
* If specified as < 0 or more than 16, it will be autotuned
* This number should not be set higher than the number of processors in the box.
* If splunkd is also doing parsing and aggregation, the number should be lower than the total number of processors minus two.
* Please only set this value if you are an expert user or are advised by Splunk Support
* CARELESSNESS IN SETTING THIS MAY LEAD TO PERMANENT BRAIN DAMAGE OR LOSS OF JOB

assureUTF8 = true | false
* Verifies that all data to be indexed is proper UTF8.
* Will degrade indexing performance when enable (set to true)
* Defaults to false

#******************************************************************************
# PER INDEX OPTIONS
# These options may be set under an [$INDEX] entry 
#******************************************************************************

disabled = true | false
* Toggle your index entry off and on.
* Set to true to disble an index.
* Defaults to false.

homePath = <path on server>
* The path that contains the hot and warm databases and fields for the index. 
* Splunkd keeps a file handle open for warm databases at all times .
* CAUTION: Path MUST be writable.

coldPath = <path on server>
* The path that contains the cold databases for the index. 
* Cold databases are opened as needed when searching.
* CAUTION: Path MUST be writable.
   	
thawedPath = <path on server>
* The path that contains the thawed (resurrected) databases for the index.

# The following options can be set either per index or at the top of the file as defaults for all indexes.
# Defaults set at the top of the file are overridden if set on a per-index basis.

maxWarmDBCount = <integer>
* The maximum number of warm DB_N_N_N directories.
* All warm DBs are in the <homePath> for the index. 
* Warm DBs are kept in open state.
* Defaults to 300.

maxTotalDataSizeMB = <integer>
* The maximum size of an index (in MB). 
* If an index grows larger, the oldest data is frozen.
* Defaults to 500000.

rotatePeriodInSecs = <integer>
* Frequency (in seconds) to check if a new hot DB needs to be created.
* Also the frequency to check if there are any cold DBs that need to be frozen.
* Defaults to 60.

frozenTimePeriodInSecs = <integer>
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, this data is erased.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs before it will roll.
* frozenTimePeriodInSecs will be frozen the next time splunkd checks.
* Defaults to 188697600.

warmToColdScript = <script> 
* Specifies a script to run when moving data from warm to cold. 
* Should not be necessary for any purpose in Splunk 4.  Migrating data across filessystems is handled natively by splunkd.  Supported for backwards compatibility.
* If you specify a script here, the script becomes responsible for moving the data, and splunk's native data migration will not be used.
* The script must accept two arguments:
 * First: the warm directory (bucket) to be rolled to cold.
 * Second: the destination in the cold path.
* Splunk searches and other activities will be paused while the script works.
* Please contact Splunk Support if you need help configuring this setting.
* Defaults to empty.

coldToFrozenScript = <script>
* Specify an archiving script by changing <script>.
* Splunk ships with two default archiving scripts (or create your own):
 * compressedExport.sh - Export with tsidx files compressed as gz.
 * flatfileExport.sh - Export as a flat text file.
 * Define <$script> paths relative to $SPLUNK_HOME/bin
* WINDOWS users use this notation:
  coldToFrozenScript = <script> "$DIR" 
 * <script> can be either compressedExport.bat or flatfileExport.bat

compressRawdata = true | false
* If set to true, Splunk writes raw data out as compressed gz files.
* If set to false, Splunk will write data to an uncompressed raw file.
* Defaults to true.

maxConcurrentOptimizes = <integer>
* The number of concurrent optimize processes that can be run against the hot DB.
* This number should be increased if: 
 1. There are always many small tsidx files in the hot DB.
 2. After rolling, there are many tsidx files in warm or cold DB.

maxDataSize = <integer or "auto">
* The maximum size in MBs for a hot db to grow before a roll to warm is triggered
* Specifying "auto" or "auto_high_volume" will cause Splunk to autotune this param based on your system (Recommended)
* You should use "auto_high_volume" for high volume indexes (such as the main index), otherwise use "auto"
* Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000, 
 * any number outside this range should be approved by Splunk support before proceeding
* If you specify an invalid number or string for maxDataSize, maxDataSize will be auto tuned
* NOTE: The precise size of your warm buckets may vary from maxDataSize due to post processessing and timing issues with the rolling policy
     
maxMemMB = <integer>
* The amount of memory to allocate for indexing. 
* This amount of memory will be allocated PER INDEX THREAD.
* OR If indexThreads is set to 0, once per index.
* IMPORTANT:  Calculate this number carefully.
 * splunkd will crash if you set this number higher than what is available.
* Defaults to 50.
   
blockSignSize = <integer>
* Controls how many events make up a block for block signatures. 
* If it is set to 0 block signing is disabled for this index.
* Defaults to 0.
* A recommended value of this variable is 100.

maxHotSpanSecs = <non-negative number>
   * Upper bound of target max timespan of hot/warm buckets in seconds
   * Defaults to 90 days
   * NOTE: if you set this too small, you may get an explosion of hot/warm
     buckets in the filesystem.  The system sets a lower bound implicitly for
     this parameter at 3600, but this is an advanced parameter that should be set
     with care and understanding of the characteristics of your data

maxHotIdleSecs = <non-negative number>
   * If the number of hot buckets is growing and is exceeding the maxHotBuckets
     count, this parameter will take effect, otherwise, it has no effect
   * Upper bound of life in seconds of a hot bucket
   * Once this time expires, hot bucket will be "rolled" into a warm bucket
   * A value of 0 turns of the Idle check (equivalent to INFINITE idle time)
   * Defaults to 0

maxHotBuckets = <non-negative number>
   * Maximum hot buckets that can exist per index
   * LRU policy will be used to age out hot buckets when this number is exceeded
   * Defaults to 1

quarantinePastSecs = <non-negative number>
   * events with timestamp of quarantinePastSecs older than "now" will be
     dropped into quarantine bucket
   * defaults to 157680000 (5 years)
   * this is a mechanism to prevent main hot buckets from being poluted with
     fringe events

quarantineFutureSecs = <non-negative number>
   * events with timestamp of quarantineFutureSecs newer than "now" will be
     dropped into quarantine bucket
   * defaults to 2592000 (1 month)
   * this is a mechanism to prevent main hot buckets from being poluted with
     fringe events

indexes.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains an example indexes.conf.  Use this file to configure indexing properties.
#
# To use one or more of these configurations, copy the configuration block into
# indexes.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to 
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
#

# The following example sets up a new default index, called "hatch."

defaultDatabase = hatch

[hatch]

homePath   = $SPLUNK_DB/hatchdb/db
coldPath   = $SPLUNK_DB/hatchdb/colddb
thawedPath = $SPLUNK_DB/hatchdb/thaweddb
indexThreads = 1
# Max amount of physical memory (in megabytes) to use for a given index
maxMemMB = 200
maxDataSize = 10000



# The following example changes the default amount of space and memory Splunk's indexes use.

maxTotalDataSizeMB = 650000
maxMemMB = 75



# The following example changes the time data is kept around by default.
# It also sets an export script.  NOTE: You must edit this script to set export location before 
# running it.

maxWarmDBCount = 200
maxColdDBCount = 5
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenScript = /opt/bin/compressedExport.sh

• Was this topic useful?
• Post a comment