Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Download topic as PDF

Optimize indexes

While the indexer is indexing data, one or more instances of the splunk-optimize process will run intermittently, merging index files together to optimize performance when searching the data. The splunk-optimize process can use a significant amount of cpu but only briefly. You can reduce the number of concurrent instances of splunk-optimize by changing the value of maxConcurrentOptimizes in indexes.conf, but this is not typically necessary.

If splunk-optimize does not run frequently enough, searching will be less efficient.

splunk-optimize runs only on hot buckets. You can run it on warm buckets manually, if you find one with a larger number of index (.tsidx) files; typically, more than 25. To run splunk-optimize, go to $SPLUNKHOME/bin and type:

 splunk-optimize -d|--directory <bucket_directory>

splunk-optimize accepts a number of optional parameters. To see a list of available parameters, type:

splunk-optimize

To enable verbose logging from splunk-optimize to splunkd.log, you can set category.SplunkOptimize in log.cfg to INFO or DEBUG. The recommended way to do this is through the CLI:

 splunk set log-level SplunkOptimize -level DEBUG -auth admin:passwd

For more information on buckets, see How Splunk stores indexes.

PREVIOUS
Manage pipeline sets for index parallelization
  NEXT
Use the monitoring console to view indexing performance

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters