Optimize indexes
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Optimize indexes
While Splunk is indexing data, one or more instances of the splunk-optimize process will run intermittently, merging index files together to optimize performance when searching the data. The splunk-optimize process can use a significant amount of cpu, but should not consume it indefinitely, only for a short amounts of time. You can alter the number of concurrent instances of splunk-optimize by changing the value set for maxConcurrentOptimizes in indexes.conf, but this is not typically necessary.
splunk-optimize should only run on hot buckets. You can run it on warm buckets manually, if you find one with a larger number of .tsidx files (more than 25):
./splunk-optimize <directory>
If splunk-optimize does not run often enough, search efficiency will be affected.
For more information on buckets, see "How Splunk stores indexes".
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
An example for optimizing "main" would be good. I'm pretty dumb and the example for wasn't detailed enough to help me.