search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

Indicates whether to sort returned entries in ascending or descending order.

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

This is a global setting, not a per index setting.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize will be auto tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you don't use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

This is a global setting, not a per index setting.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this interval, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

• less than 2GB RAM = 67108864 (64MB) tsidx
• 2GB to 8GB RAM = 134217728 (128MB) tsidx
• more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

Required. Splunk will not start if an index lacks a valid coldPath.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes will be overwritten on upgrade.

Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

• For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
• For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index

When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation.

Note: This endpoint is new in Splunk 4.3.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

Required. Splunk will not start if an index lacks a valid homePath.

CAUTION: Path MUST be readable and writable.

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize will be auto tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you don't use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this interval, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

auto: Use the value as configured with the master.

0: Specify zero to turn off replication for this index.

For information on configuring clusters, see Configure clusters in the Splunk Managing Indexing and Clusters manual.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

Note: Do not change this parameter without the input of a Splunk Support.

Cannot be defined in terms of a volume definition.

Required. Splunk will not start if an index lacks a valid thawedPath</codePath>.

Note: Do not change this parameter without the input of Splunk Support.

<code>Location: /services/data/indexes/{name}

If enabled (set to True), degrades indexing performance

Can only be set globally.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize will be auto tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you don't use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this interval, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

This attribute only applies to Splunk clustering slaves.

auto: Use the value as configured with the master.

0: Specify zero to turn off replication for this index.

For information on configuring clusters, see Configure clusters in the Splunk Managing Indexing and Clusters manual.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

This is a global setting, not a per index setting.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize will be auto tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you don't use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

This is a global setting, not a per index setting.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this interval, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

• less than 2GB RAM = 67108864 (64MB) tsidx
• 2GB to 8GB RAM = 134217728 (128MB) tsidx
• more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes will be overwritten on upgrade.

Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

• For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
• For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index

When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation.

Note: This endpoint is new in Splunk 4.3.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize will be auto tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you don't use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this interval, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

auto: Use the value as configured with the master.

0: Specify zero to turn off replication for this index.

For information on configuring clusters, see Configure clusters in the Splunk Managing Indexing and Clusters manual.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

Note: Do not change this parameter without the input of a Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

If enabled (set to True), degrades indexing performance

Can only be set globally.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize will be auto tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you don't use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this interval, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

This attribute only applies to Splunk clustering slaves.

auto: Use the value as configured with the master.

0: Specify zero to turn off replication for this index.

For information on configuring clusters, see Configure clusters in the Splunk Managing Indexing and Clusters manual.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.