Optimize indexes
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Optimize indexes
While Splunk is indexing data, one or more instances of the splunk-optimize process will run intermittently, merging index files together to optimize performance when searching the data. The splunk-optimize process can use a significant amount of cpu but only briefly. You can reduce the number of concurrent instances of splunk-optimize by changing the value of maxConcurrentOptimizes in indexes.conf, but this is not typically necessary.
If splunk-optimize does not run frequently enough, searching will be less efficient.
splunk-optimize runs only on hot buckets. You can run it on warm buckets manually, if you find one with a larger number of index (.tsidx) files; typically, more than 25. To run splunk-optimize, go to $SPLUNKHOME/bin and type:
splunk-optimize -d|--directory <bucket_directory>
splunk-optimize accepts a number of optional parameters. To see a list of available parameters, type:
splunk-optimize
For more information on buckets, see "How Splunk stores indexes".
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.