Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure index storage

You configure indexes in indexes.conf. How you edit indexes.conf depends on whether you're using index replication, also known as indexer clustering:

  • For non-clustered indexes, edit the version of indexes.conf in $SPLUNK_HOME/etc/system/local/, or create one if it does not already exist there. Do not edit the copy in $SPLUNK_HOME/etc/system/default. For information on configuration files and directory locations, see About configuration files.
  • For clustered indexes, create and edit a version of indexes.conf on the cluster master node and then distribute it to all the peer nodes, as described in Configure the peer indexes in an indexer cluster.

For non-clustered indexes only, you can optionally use Splunk Web to configure the path to your indexes. Go to Settings > Server settings > General settings. Under the section Index settings, set the field Path to indexes. After doing this, you must restart the indexer from the CLI, not from within Splunk Web. Most other settings, however, require direct editing of indexes.conf.

Attributes that affect index buckets

This table lists the key indexes.conf attributes affecting buckets and what they configure. It also provides links to other topics that show how to use these attributes. For the most detailed information on these attributes, as well as others, always refer to the indexes.conf spec file.

Attribute What it configures Default For more information, see ...
homePath The path that contains the hot and warm buckets. (Required.)

This location must be writable.

$SPLUNK_HOME/var/lib/splunk/ defaultdb/db/ (for the default index only) Configure index path attributes
coldPath The path that contains the cold buckets. (Required.)

This location must be writable.

$SPLUNK_HOME/var/lib/splunk/ defaultdb/colddb/ (for the default index only) Configure index path attributes
thawedPath The path that contains any thawed buckets. (Required.)

This location must be writable.

$SPLUNK_HOME/var/lib/splunk/ defaultdb/thaweddb/ (for the default index only) Configure index path attributes
repFactor Determines whether the index gets replicated to other cluster peers. (Required for indexes on cluster peer nodes.) 0 (which means that the index will not get replicated to other peers; the correct behavior for non-clustered indexes). For clustered indexes, you must set repFactor to auto, which causes the index to get replicated. Configure the peer indexes in an indexer cluster
maxHotBuckets The maximum number of hot buckets. This value should be at least 2, to deal with any archival data. The main default index, for example, has this value set to 10. 3, for new, custom indexes. How data ages
maxDataSize Determines rolling behavior, hot to warm. The maximum size for a hot bucket. When a hot bucket reaches this size, it rolls to warm. This attribute also determines the approximate size for all buckets. Depends; see indexes.conf. Set a retirement and archiving policy
maxWarmDBCount Determines rolling behavior, warm to cold. The maximum number of warm buckets. When the maximum is reached, warm buckets begin rolling to cold. 300 Use multiple partitions for index data
maxTotalDataSizeMB Determines rolling behavior, cold to frozen. The maximum size of an index. When this limit is reached, cold buckets begin rolling to frozen. 500000 (MB) Set a retirement and archiving policy
frozenTimePeriodInSecs Determines rolling behavior, cold to frozen. Maximum age for a bucket, after which it rolls to frozen. 188697600 (in seconds; approx. 6 years) Set a retirement and archiving policy
coldToFrozenDir Location for archived data. Determines behavior when a bucket rolls from cold to frozen. If set, the indexer will archive frozen buckets into this directory just before deleting them from the index. If you don't set either this attribute or coldToFrozenScript, the indexer will just log the bucket's directory name and then delete it once it rolls to frozen. Archive indexed data
coldToFrozenScript Script to run just before a cold bucket rolls to frozen. If you set both this attribute and coldToFrozenDir, the indexer will use coldToFrozenDir and ignore this attribute. If you don't set either this attribute or coldToFrozenDir, the indexer will just log the bucket's directory name and then delete it once it rolls to frozen. Archive indexed data


Maximum size for homePath (hot/warm bucket storage) or coldPath (cold bucket storage). If either attribute is missing or set to 0, its path is not individually constrained in size. None Configure index size according to bucket type
maxVolumeDataSizeMB Maximum size for a volume. If the attribute is missing, the individual volume is not constrained in size. None Configure index size with volumes

Configure index path attributes

When creating a new index, you configure several index path attributes, for example, homePath and coldPath. When you configure path attributes, follow these restrictions and recommendations:

  • The path must be writable. In the case of homePath, the parent path must also be writable.
  • Do not use environment variables in index paths. The only exception to this is SPLUNK_DB.
  • The path cannot be a root directory, such as homePath=/myindex or homePath=C:\myindex.
  • It is recommended that you specify the path using $_index_name as placeholder for the index name. For example:

homePath = $SPLUNK_DB/$_index_name/db
At run time, the indexer expands $_index_name to the name of the index. For example, if the index name is "newindex", homePath becomes $SPLUNK_DB/newindex/db.

The set of index path attributes includes:

  • homePath
  • coldPath
  • thawedPath
  • bloomHomePath
  • summaryHomePath
  • tstatsHomePath

For more information on path attributes, see the indexes.conf spec file.

For information on using multiple partitions to hold your index data, see Use multiple partitions for index data .

Index size and indexer clusters

The attributes that control the size of an index and its number of buckets operate on each peer node individually. They do not operate across the cluster.

For example, take the maxTotalDataSizeMB attribute. This attribute specifies the maximum size of the index. Its value is applied on a per-peer basis to limit the size of the index on each peer. When an index reaches its maximum size on a particular peer node, the peer freezes the oldest bucket in its copy of the index.

This means that the size of an index on a peer node is determined by the total size of all bucket copies for that index on that peer node. It doesn't matter whether the copies are primary copies, searchable copies, non-searchable copies, or excess copies. They all count toward the index size on that peer.

Because a cluster usually does not distribute bucket copies perfectly evenly across the set of peer nodes, an index will typically be a different size on each of the peer nodes. This means that the index might reach its maximum size on one peer while still having room to grow on the other peers.

To handle this situation, each peer tells the master when it freezes a copy of a bucket. At that point, the master no longer initiates fix-up activities for the frozen bucket. The master does not, however, instruct the other peers to freeze their copies of that bucket. Each peer will subsequently freeze its copy of the bucket, if any, when its copy of the index reaches the maximum size limit. See How the cluster handles frozen buckets.

Note: Although these attributes operate separately on each peer, you should set them to the same values across all peers in the cluster. See Configure the peer indexes in an indexer cluster.

For help in sizing your cluster disk space needs, see Storage considerations.

How the indexer stores indexes
Move the index database

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters