Introspection endpoint descriptions

infinite = No maximum specified.

infinite = No maximum specified (i.e., 0, the default)

This is a global setting, not a per index setting.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

This is a global setting, not a per index setting.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

• less than 2GB RAM = 67108864 (64MB) tsidx
• 2GB to 8GB RAM = 134217728 (128MB) tsidx
• more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

Required. Splunk Enterprise does not start if an index lacks a valid coldPath.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk Enterprise ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade.

Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

• For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
• For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index

When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

Required. Splunk Enterprise does not start if an index lacks a valid homePath.

CAUTION: Path MUST be readable and writable.

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

Caution: Do not set this value, except under advice from Splunk Support.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

If set to 0, the indexer checks child process status every second.

Highest legal value is 4294967295.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

Note: Do not change this parameter without the input of a Splunk Support.

Cannot be defined in terms of a volume definition.

Required. Splunk Enterprise does not start if an index lacks a valid thawedPath</codePath>.

Note: Do not change this parameter without the input of Splunk Support.

If specified, it must be defined in terms of a volume definition.

Caution: Path must be writable.

Default value: volume:_splunk_summaries/$_index_name/tstats

This attribute is supported for backwards compatibility with Splunk Enterprise versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used.

If enabled (set to True), degrades indexing performance

Can only be set globally.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

true = Summarized response, omitting some index details, providing a faster response.
false = full response.

This is a global setting, not a per index setting.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

This is a global setting, not a per index setting.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support.

Default value, auto, varies by the amount of physical RAM on the host

• less than 2GB RAM = 67108864 (64MB) tsidx
• 2GB to 8GB RAM = 134217728 (128MB) tsidx
• more than 8GB RAM = 268435456 (256MB) tsidx

Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295

You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence

If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories.

Splunk Enterprise ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade.

Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.

If your new script in bin/ is named myColdToFrozen.py, set this key to the following:

coldToFrozenScript = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/bin/myColdToFrozen.py"

By default, the example script has two possible behaviors when archiving:

• For buckets created from version 4.2 and on, it removes all files except for rawdata. To thaw: cd to the frozen bucket and type splunk rebuild ., then copy the bucket to thawed for that index. We recommend using the coldToFrozenDir parameter unless you need to perform a more advanced operation upon freezing buckets.
• For older-style buckets, we simply gzip all the .tsidx files. To thaw: cd to the frozen bucket and unzip the tsidx files, then copy the bucket to thawed for that index

When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.

For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).

Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed

Caution: Do not set this value, except under advice from Splunk Support.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

By default it is turned off (zero).

If set to 0, the indexer checks child process status every second.

Highest legal value is 4294967295.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

Note: Do not change this parameter without the input of a Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

If specified, it must be defined in terms of a volume definition.

Caution: Path must be writable.

Default value: volume:_splunk_summaries/$_index_name/tstats

This attribute is supported for backwards compatibility with Splunk Enterprise versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration are not used.

If enabled (set to True), degrades indexing performance

Can only be set globally.

If this is set to 0, block signing is disabled for this index.

A recommended value is 100.

This is a global setting, not a per index setting.

Bucket freezing policy is as follows:

• New style buckets (4.2 and on): removes all files but the rawdata

To thaw, run splunk rebuild <bucket dir> on the bucket, then move to the thawed directory

• Old style buckets (Pre-4.2): gzip all the .data and .tsidx files

To thaw, gunzip the zipped files and move the bucket into the thawed directory

If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence.

See the POST parameter description for details.

This is a global setting, not a per index setting.

Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

This number should be increased if instructed by Splunk Support. Typically the default value should suffice.

• "auto" sets the size to 750MB.
• "auto_high_volume" sets the size to 10GB on 64-bit, and 1GB on 32-bit systems.

Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding.

If you specify an invalid number or string, maxDataSize is auto-tuned.

Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy.

When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.

If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll.

Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data.

This is a global setting, not a per index setting.

If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README).

There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant.

If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies.

Highest legal value is 2147483647. To disable this parameter, set to 0.

Note: this is an advanced parameter. Understand the consequences before changing.

Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza.

To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.

This is a global setting, not a per-index setting.

The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices.

During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files.

If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.

If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.

partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens.

If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect.

This is a mechanism to prevent main hot buckets from being polluted with fringe events.

This is a mechanism to prevent the main hot buckets from being polluted with fringe events.

Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size.

Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support.

auto = Use the master index replication configuration value.

0 = Turn off replication for this index.

• If a new hot bucket needs to be created.
• If there are any cold buckets that should be frozen.
• If there are any buckets that need to be moved out hot and cold DBs, due to size constraints.

You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.

This is a global setting, not a per index setting.

This is a global setting, not a per index setting.

Note: Do not change this parameter without the input of Splunk Support.

Note: Do not change this parameter without the input of Splunk Support.

Enterprise
Forwarder
Free
Invalid
Trial

normal
dedicated forwarder

enterprise
hunk
lite
lite_free
splunk

cluster_search_head
cluster_master
cluster_slave
deployment_server
deployment_client
heavyweight_forwarder
indexer
kv_store
lightweight_forwarder
license_master
license_slave
search_head
search_peer
shc_deployer
universal_forwarder

See also: server/roles endpoint.

• "idx=<indexerName> Throttling indexer, too many tsidx files in bucket=<bucketName>. Is splunk-optimize working? If not, low disk space may be the cause."
• "You are low in disk space on partition <partitionName>. Indexing is paused. Will resume when free disk space rises above <minFreeMB>."

• normal
• throttled
• stopped

• count - Number of collection documents or objects.
• indexSizes - Key and size of every index on the collection.
• lastExtentSize - Size of last allocated extent.
• nindexes - Number of indexes on the collection.
• ns - Current collection namespace.
• numExtents - Number of contiguously allocated data file regions.
• paddingFactor - Amount of space added to each document.
• size - Collection records total size.
• storageSize - Collection document storage allocation.
• systemFlags - Collection flags that reflect internal server options.
• totalIndexSize - Size of all indexes.
• userFlags - Collection flags set by user.

• set - Replicate Set Name set in the server.conf file.
• date - Current time in ISO format.
• myState - Startup process, basic operations, and potential error states:
  • 0 STARTUP Initial member state. Cannot vote.
  • 1 PRIMARY Only member that can accept write operations. Can vote.
  • 2 SECONDARY Data store replication member. Can vote.
  • 3 RECOVERING Members perform startup self-checks, or transition from completing a rollback or resync. Can vote.
  • 4 FATAL Unrecoverable error encountered. Cannot vote.
  • 5 STARTUP2 Forks replication and election threads before becoming a secondary. Cannot vote.
  • 6 UNKNOWN Never connected to replica set. Cannot vote.
  • 7 ARBITER Participate in elections, do not replicate data. Can vote.
  • 8 DOWN Cannot be accessed by the set. Cannot vote.
  • 9 ROLLBACK Performs rollback. Can vote.
  • 10 REMOVED Removed from the replica set. Cannot vote.
• members - Descriptions of members of replica set:
  • _id - Member ID.
  • name - Server name.
  • health - Status: 1 = up, 0 = down.
  • state - Replica state (See MyState).
  • stateStr - String representation of state.
  • uptime - Online interval (seconds).
  • optime - Information about last operations log operation.
    • t - 32-bit timestamp of last operation.
    • i - Number of operations since the last timestamp.
  • optimeDate - Time of last operations log operation in ISO format.
  • lastHeartbeat - Transmission time of last heartbeat in ISO format.
  • lastHeartbeatRecv - Time last heartbeat received in ISO format.
  • pingMs - Round-trip packet time (msec).
  • syncingTo - On secondary and recovering members, hostname of member from which this instance is syncing.
• ok - Command return status: 1 = Success, 0 = Failure.
• oplogInfo - Operations log information:
  • start - Start time.
  • end - End time.
  • collectionStats - Collection storage statistics:
    • ns - Current collection namespace.
    • count - Number of collection documents or objects.
    • size - Collection records total size.
    • avgObjSize - Average object size in collection (bytes).
    • storageSize - Collection document storage allocation.
    • numExtents - Number of contiguously allocated data file regions.
    • nindexes - Number of indexes on the collection.
    • lastExtentSize - Size of last allocated extent.
    • paddingFactor - Amount of space added to each document.
    • systemFlags - Collection flags that reflect internal server options.
    • userFlags - Collection flags set by user.
    • totalIndexSize - Size of all indexes.
    • indexSizes - Key and size of every index on the collection.
    • capped - Capped setting: true = capped, false = not capped.
    • max - Max collection size.
    • ok - Command return status: 1 = Success, 0 = Failure.
  • sources - Operations log sources.

• asserts - Number of database assertions since the server process started, for each of the following levels/types:
  • regular
  • warning
  • msg
  • user
  • rollovers
• backgroundFlushing - Write to disk flush metrics:
  • flushes - Number of times writes flushed.
  • total_ms - Number of msec processes used to flush writes.
  • average_ms - Relationship between flushes and total_ms, in msec.
  • last_ms - Number of msec the last flush took.
  • last_finished (date) - ISO time of last completed write flush operation.
• connections - Current incoming connections status and database availability:
  • current - Number of active client connections.
  • available - Number of unused connections available.
  • totalCreated - Total number of connections created, including closed connections.
• cursors - [DEPRECATED] Current cursor and state. Use metrics, instead.
• dur - (Durability) Journaling-related operations and performance. Journaling must be enabled.:
  • commits - Number of transactions written to the journal during the last group commit interval.
  • journaledMB - Amount of data (MB) written to the journal during the last group commit interval.
  • writeToDataFilesMB - Amount of data (MB) written from journal to data files during the last group commit interval.
  • compression - Compression ratio of data written to journal: (journaled_size_of_data / uncompressed_size_of_data)
  • commitsInWriteLock - Number of commits that occurred during a write lock.
  • earlyCommits - Number of commits requested before scheduled group commit time.
  • timeMs: Performance during various journaling phases.
    • dt - Data collection interval (msec).
    • prepLogBuffer - Time spend preparing to write to journal (msec).
    • writeToJournal - Time spent writing to journal (msec).
    • writeToDataFiles - Time spent writing to data files after journaling (msec).
    • remapPrivateView - Time spent remapping copy-on-write memory mapped views (msec).
• extra_info - Platform-specific information:
  • note - Platform-specific information.
  • heap_usage_bytes - Total heap space size used by database (bytes). Applicable to *nix systems, only.
  • page_faults - Total number of page faults that require disk operations.
• globalLock - Information about the current database lock state, historical lock status, and active clients:
  • totalTime - Time since database started and globalLock creation (usec).
  • lockTime - Time since database started that globalLock has been held (usec).
  • currentQueue: Information about operations queued because of a lock.
    • total - Total number of operations queued waiting on readers and writers locks.
    • readers - Number of operations queued waiting for read lock.
    • writers - Number of operations queued waiting for write lock.
  • activeClients: Information about number and operation types of connected clients.
    • total - Total number of readers and writers connections.
    • readers - Number of connected clients performing read operations.
    • writers - Number of connected clients performing write operations.
• host - Hostname and port number.
• indexCounters - Index usage counters:
  • accesses - Number of times operations accessed indexes.
  • hits - Number of times index accessed and returned from memory.
  • misses - Number of attempts to access index not in memory.
  • resets - Number of times index counters reset since database last started.
  • missRatio - Ratio of hits to misses.
• localTime - ISO-formatted local time.
• locks - State and read/write use of global and database-specific locks:
  • timeLockedMicros - Amount of time a lock existed, for all databases of this server instance (usec).
  • timeAcquiringMicros - Amount of time operations spend waiting, for lock for all databases of this server instance (usec).
  • admin: Lock use in the admin database.
    • timeLockedMicros - Amount of time locks existed in the admin database context (usec).
    • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the admin database context (usec).
  • local: Lock use in the local database.
    • timeLockedMicros - Amount of time locks existed in the local database context (usec).
    • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the local database context (usec).
  • search.<collection>: Locks used in each collection.
    • timeLockedMicros - Amount of time locks exist in the collection context (usec).
    • timeAcquiringMicros - Amount of time spent waiting to acquire a lock in the collection context (usec).
• mem - Memory usage: System architecture and memory usage metrics.
  • bits - System address architecture: 32 or 64 bit architecture.
  • resident - Amount of RAM currently used by the database process (MB).
  • virtual - Amount of virtual memroy used (MB).
  • supported: true = supports extended memory information, false = does not support extended memory information.
  • mapped - Amount of mapped memory for database (MB).
  • mappedWithJournal - Amount of mapped memory, including journaling memory (MB). Always twice the size of mapped.
• metrics - Current instance use and state:
  • cursor: Cursor state and use.
    • timedOut - Total number of cursors that have timed out since the server process started.
    • open: - Information about open cursors.
      • noTimeout - Number of open cursors with option set to prevent timeout after a period of inactivity.
      • pinned - Number of pinned open cursors.
      • total - Number of cursors maintained for clients, typically less than zero.
  • document: Information about document access and modification patterns and data use. Compare these values to opcounters data, which track total number of operations.
    • deleted - Total number of deleted documents.
    • inserted - Total number of inserted documents.
    • returned - Total number of documents returned by queries.
    • updated - Total number of updated documents.
  • getLastError: Information about getLastError use.
    • wtime: getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
      • num - getLastError operation counts with a specified write concern that wait for one or more members of a replica set to acknowledge the write operation.
      • totalMillis - Amount of time spent performing getLastError operations with write concern that wait for one or more members of a replica set to acknowledge the write operation (msec).
    • wtimeouts - Number of times write concern operations timed out as a result of the wtimeout threshold to getLastError.
  • operation: Counters for several types of update and query operations handled using special operation types.
    • fastmod - Number of update operations that neither cause documents to grow nor require updates to the index.
    • idhack - Number of queries that contain the _key field.
    • scanAndOrder - Number of queries that return sorted numbers that cannot perform the sort operation using an index.
  • queryExecutor: Data from the query execution system.
    • scanned - Number of index items scanned during queries and query-plan evaluation.
    • scannedObjects - Total number of documents scanned during the query.
  • record: Data related to record allocation in the on-disk memory files.
    • moves - Number of times documents move within the on-disk representation of the data set. Documents move as a result of operations that increase the size of the document beyond their allocated record size.
  • repl: Metrics related to the ordered history of logical writes.
    • apply: - Information about the application of ordered history of logical writes.
      • batches: Information on the ordered history of logical writes application process on secondaries members of replica sets.
        • num - Number of batches applied across all databases.
        • totalMillis - Amount of time spent applying ordered history of logical write operations (msec).
      • ops - Number of ordered history of logical write operations.
    • buffer: Information to track the ordered history of logical write operations buffer.
      • count - Number of operations on the ordered history of logical writes buffer.
      • maxSizeBytes/ - Maximum size of the ordered history of logical writes buffer.
      • sizeBytes - Current size of the contents of the ordered history of logical writes buffer.
    • network: Network use information for the replication process.
      • bytes - Amount of data read from the replication sync source (bytes).
      • getmores: Information about queries for additional results from the ordered history of logical write operations cursor as part of the replication process.
        • num - Number of queries for additional results from the ordered history of logical write operations, which are operations that request an additional set of operations from the replication sync source.
        • totalMillis - Amount of time to collect data from queries for additional results from the ordered history of logical write operations (msec).
      • ops - Number of operations read from the replication source.
      • readersCreated - Number of queries for additional results from the ordered history of logical write operations processes created.
    • preload: Information about replication pre-fetch.
      • docs: Information about documents loaded into memory during replication pre-fetch.
        • num - Number of documents loaded during replication pre-fetch.
        • totalMillis - Amount of time spent loading documents as part of replication pre-fetch (msec).
      • indexes: Information about index items loaded into memory during replication pre-fetch.
        • num - Number of index entries loaded by members before updating documents as part of replication pre-fetch.
        • totalMillis - Amount of time spent loading index entries as part of replication pre-fetch (msec).
  • storage: Freelist behavior monitoring statistics.
    • freelist: Freelist bucket behavior monitoring statistics.
      • search: Freelist bucket behavior monitoring search statistics.
        • bucketExhausted - Number of times bucket fully searched, requiring advance to next bucket.
        • requests - Number of times the allocation function was called.
        • scanned - Number of freelist bucket entries examined.
  • ttl: Information about resource use of the ttl index process.
    • deletedDocuments - Number of documents deleted from collections with a ttl index.
    • passes - Number of times background process removes documents from collections with a ttl index.
• network - Network use and state:
  • bytesIn - Amount of network traffic received by this database (bytes).
  • bytesOut- Amount of network traffic sent from this database (bytes).
  • numRequests - Number of distinct requests received by the server.
• ok - Command return status: 1 = Success, 0 = Failure.
• opcounters - Overview of database operations by type, similar to opcountersRepl:
  • insert - Number of insert operations since instance started.
  • query - Number of queries since instance started.
  • update - Number of update operations since instance started.
  • delete - Number of delete operations since instance started.
  • getmore - Number of getmore operations since instance started.
  • command - Number of commands issued since instance started.
• opcountersRepl - Overview of replication operations by type, similar to opcounters:
  • insert - Number of replicated insert operations since instance started.
  • query - Number of replicated queries since instance started.
  • update - Number of replicated update operations since instance started.
  • delete - Number of replicated delete operations since instance started.
  • getmore - Number of replicated getmore operations since instance started.
  • command - Number of replicated commands issued since instance started.
• pid - Process ID.
• recordStats - Page fault statistics:
  • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for all databases.
  • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for all databases.
  • admin: Admin database page fault statistics.
    • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the admin database.
    • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the admin database.
  • local: Local database page fault statistics.
    • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the local database.
    • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the local database.
  • search.<collection>: Search database page fault statistics.
    • accessesNotInMemory - Number of times memory page accessed that was not resident in memory, for the search database.
    • pageFaultExceptionsThrown - Number of page fault exceptions thrown when accessing data for the search database.
• uptime - Amount of time database process has been active (seconds).
• uptimeEstimate - Amount of time database process has been active as calculated from the internal, course-grained time keeping system (seconds).
• uptimeMillis - Amount of time database process has been active (msec).
• version - Version number (not used).
• writeBacksQueued - Write-backs queued status: true = write-backs queued, false = write-backs not queued.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.

Startup time indicates that parsing is complete and the distributed search infrastructure is set up. At startup, the Splunk platform is ready to wait for responses from indexers.

Example values:
Linux: ext2, ext3, ext4, qnx4
Solaris: ufs, zfs
Windows: ntfs, fat32
AIX: jfs
(not OS-specific) WORM: ISO9660, UDF13346
(not OS-specific); network-shared: SMB, CIFS, NFS
(not OS-specific) Veritas: VxFS.