While Splunk is indexing data, one or more instances of the
splunk-optimize process will run intermittently, merging index files together to optimize performance when searching the data. The
splunk-optimize process can use a significant amount of cpu but only briefly. You can reduce the number of concurrent instances of
splunk-optimize by changing the value of
indexes.conf, but this is not typically necessary.
splunk-optimize does not run frequently enough, searching will be less efficient.
splunk-optimize runs only on hot buckets. You can run it on warm buckets manually, if you find one with a larger number of index (
.tsidx) files; typically, more than 25. To run
splunk-optimize, go to
$SPLUNKHOME/bin and type:
splunk-optimize -d|--directory <bucket_directory>
splunk-optimize accepts a number of optional parameters. To see a list of available parameters, type:
For more information on buckets, see "How Splunk stores indexes".
Remove indexed data from Splunk
Configure bloom filters
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7