indexes.conf

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for a "indexes.conf" file.
#
# The processing properties of Splunk are configured through the files
# $SPLUNK_HOME/etc/bundles/<bundle name>/indexes.conf
#
# 
#
# IMPORTANT:  Settings changed in this file can drastically affect your 
# Splunk installation.  Consult technical support (support@splunk.com)
# before you attempt to modify anything other than the common attributes.  
# DO NOT change the attribute: QueryLanguageDefinition without consulting 
# technical support.

# A configuration looks like:
globalValue1 = gval1
globalValue2 = gval2

defaultValue1 = val1
defaultValue2 = val2

[<database>]    
localValue1 = lval1
localValue2 = lval2

If the same <database> is found in two bundle directories, the following 
precedence rules apply. Attributes in the "local" bundle are read first and
attributes in the "default" bundle are read last. Attributes in the
other bundles are loaded in alphabetical order of bundle name.

Overriding is performed attribute by attribute, so if a specific
attribute is not specified in "local", but in another bundle,
it will be taken from that other bundle.

For the purposes of this file a database will refer to a directory named as
db_<starttime>_<endtime>_<seq_num> and an index will refer to a collection of 
these directories.

The possible attributes/value pairs, and their default values, are:

# Global options - These options effect every index 
# IMPORTANT:  Changing these options can drastically affect your Splunk 
# installation. Consult technical support (support@splunk.com) 
# before you attempt to modify anything other than the common attributes.  
# DO NOT change the attribute: QueryLanguageDefinition without consulting 
# technical support.

sync = <non-negative number> (0)
  * If this number is non zero the indexprocessor will attempt to sync
    the index every N events where N is the value of this setting. 
    It is recommended that this be set to 0.

maxQueryIds = <non-negative number> (10000000)
  * The maximum number of ids a search will attempt to resolve
    in a single query. This is a good value for 32bit systems.
    It can be raised for 64bit installations with lots of RAM.

defaultDatabase = <database name> (main)
  * This is the database that will be used if no index:: term is provided.
    Also the database that will be selected by default on the homepage.

queryLanguageDefinition = <path to file> ($SPLUNK_HOME/etc/searchLanguage.xml)
  * The path to the search language definition file. It is recommended that this not be changed.

#Per index options - These options may be specified under an [index] entry or at the root of the file to set default options for the indexes. 

homePath = <path on server>
   * The path that will contain db-hot (the hot database), the warmdatabases and fields for the index. Databases that are warm will have a handle open to them at all times in splunkd.

coldPath = <path on server>
   * The path that will contain the cold databases for the index. Cold databases will be opened as needed when searching.

thawedPath = <path on server>
   * The path that will contain the thawed (resurrected) databases for the index.

maxWarmDBCount = <non-negative number> (300)
   * The maximum number of db_N_N_N directories that will be in the warm db state. All warm dbs will be in the <homePath> for the index and splunk will maintain these directories in the open state.

maxColdDBCount = <non-negative number> (10)
   * The number of cold database that we will hold a open handle to. NOT the number of cold databases that can exist. When searching and opening cold indexes splunkd keeps an LRU cache of the colddbs it has open, this number controls the size of that cache.

frozenTimePeriodInSecs = <non-negative number> (188697600)
   * If there is ever any database who's last time is earlier than now - frozenTimePeriodInSecs will be frozen the next time splunkd checks.

rotatePeriodInSecs = <non-negative number> (60)
   * Frequency for checking to see if a new db-hot needs to be created,  and to check to see if there are any dbs that need to be frozen.

maxDataSize = <non-negative number> (750)
   * The number of MB's db hot is allowed to grow to before it is rolled out to warm.
     This number should not be increased unless Splunk is running in 64bit mode. 
     

maxTermChars = <non-negative number> (2097152)
   * An advanced memory tuning parameter for the index. It is recommended that this parameter not be used.
     Instead the maxMemMB parameter be used instead.

maxTerms = <non-negative number> (131072)
   * An advanced memory tuning parameter for the index. It is recommended that this parameter not be used.
     Instead the maxMemMB parameter be used instead.

maxPostings = <non-negative number> (2097152)
   * An advanced memory tuning parameter for the index. It is recommended that this parameter not be used.
     Instead the maxMemMB parameter be used instead.

maxValues = <non-negative number> (65536)
   * An advanced memory tuning parameter for the index. It is recommended that this parameter not be used.
     Instead the maxMemMB parameter be used instead.

coldToFrozenScript = < <script file> $DIR > ( echo $DIR )
   * The script to run on directories that are being frozen. The variable $DIR will be replaced by the 
     path to the directory. The default script just echos the directory name to stdout. 
     A setting that would copy the directories to an archive dir is cp -r $DIR /my_archive
     Splunk ships with two other example scripts 
     compressedExport.sh - Export files with the tsidx files compressed as gz
     flatfileExport.sh - Export files as a flat text file.

compressRawdata = <true|false> (true)
   * If set to true splunk writes raw data out as compressed gz files if set to false, Splunk will write data to an uncompressed raw file.

maxTotalDataSizeMB = <non-negative number> (500000)
   * The maximum size of an index. If an index grows bigger than this the oldest data is frozen out.

indexThreads = <non-negative number> (0)
   * The number of extra threads to use for indexing for this index. This number should not be 
     set to higher than the number of processors in the box. If splunkd is also doing parsing and aggregation the number should be lower than 2 less than the number of processors.

maxMemMB = <non-negative number> (50)
   * The amount of memory to allocate for indexing. This amount of memory will be allocated PER INDEX THREAD or once
     per index if indexThreads is set to 0 so it is important not to set it so that it will allocate more memory than is addressable otherwise splunkd  will crash.