Configure the peer indexes
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. This file must be identical across all peer nodes, except for very limited purposes, described later.
The cluster peers deploy with a default
indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new
indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.
Important: You cannot use Manager or the CLI to configure index settings on peer nodes. You must edit
All peers must use the same indexes.conf
indexes.conf file should ordinarily be identical across all peers in a cluster. In particular, all peers must use the same set of clustered indexes. This is essential for index replication to work properly. (The master node, on the other hand, uses its own, separate
indexes.conf file, because it indexes only its own internal data.) There's a limited exception to this stricture, which is described a bit later.
When you first create the cluster, the master distributes a default
indexes.conf file to each of the peers. This version of
indexes.conf is specifically designed for cluster peers. The default
indexes.conf turns on replication for the
main (default) index, as well as the internal indexes, such as
Depending on your system, you might also need to edit and distribute a modified
indexes.conf to the peers, to accommodate additional indexes or changes to bucket attributes. To ensure that all peers use the same
indexes.conf, you use the master node to distribute the file to all the peers as a single process.This process, known as the configuration bundle method, is described in "Update common peer configurations".
Although it's possible to distribute the
indexes.conf file to all peers using some different distribution method, it's not recommended. When you distribute via the master node, as described in "Update common peer configurations", the master orchestrates the distribution to ensure that all peers have the same set of clustered indexes. If you use another distribution method, you must ensure that settings for any new clustered indexes are successfully distributed to all peers, and that all the peers have been restarted, before you start sending data to the new indexes.
Note: Under limited circumstances (for example, to perform local testing or monitoring), you can create a separate peer-specific
indexes.conf that configures an index for that peer only. However, such an index will not get replicated. The peer-specific
indexes.conf supplements, but does not replace, the common version of the file that all peers get. See "Add an index to a single peer" for details.
You first edit the common
indexes.conf on the master and then use the master to distribute the file across the set of peers, as described in "Update common peer configurations".
For details on configuring
indexes.conf, read the topics in the chapters "Manage indexes" and "Manage index storage" in this manual. For a list of all
indexes.conf attributes, see the indexes.conf specification file in the Admin Manual.
For the most part, you edit
indexes.conf in the same way as you would for any Splunk indexer. However, there are a few differences to be aware of.
The indexes.conf repFactor attribute
When you add a new index to the peers' common
indexes.conf file, you must set its
repFactor attribute to
auto. This causes that the index's data to be replicated to other peers in the cluster. For example:
[newindex] repFactor=auto homePath=<path for hot and warm buckets> coldPath=<path for cold buckets> thawedPath=<path for thawed buckets> ...
Specify homePath and coldPath with forward-slash directory separators
In heterogeneous environments, it's possible that the operating system for the master node on which you edit
indexes.conf could use a different convention for specifying directory paths from the operating system on the peer nodes where
indexes.conf gets distributed.
For example, if you have a Windows master and a set of Linux peers, the normal way to specify the
homePath on the Windows master would be to use the Windows backward-slash convention as a directory separator, while the Linux peers, to which the file gets distributed, require forward slashes.
To deal with this possibility, the best practice is to always use forward slashes when specifying directory paths in
coldPath, no matter which operating systems your master and peers use. For example:
homePath = $SPLUNK_HOME/var/lib/splunk/defaultdb/db/
Splunk will always accept the forward slash as a directory separator.
Distribute the new indexes.conf file to the peers
Once you've edited
indexes.conf, you need to distribute it to the cluster's set of peer nodes. To learn how to distribute configuration files, including
indexes.conf, across all the peers, read "Update common peer configurations".
For information about other types of peer configuration, read "Configure the peer nodes".
Configure the peer nodes
Configure the search head
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1