indexes.conf

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for a "indexes.conf" file.
#
# The processing properties of Splunk are configured through the files
# $SPLUNK_HOME/etc/bundles/<bundle name>/indexes.conf
#
# 
#
# IMPORTANT:  Settings changed in this file can drastically affect your 
# Splunk installation.  Consult technical support (support@splunk.com)
# before you attempt to modify anything other than the common attributes.  
# DO NOT change the attribute: QueryLanguageDefinition without consulting 
# technical support.

# A configuration looks like:
globalValue1 = gval1
globalValue2 = gval2

defaultValue1 = val1
defaultValue2 = val2

[$INDEX]    
localValue1 = lval1
localValue2 = lval2

A database is a directory named as
db_<starttime>_<endtime>_<seq_num> 
An index is a collection of these directories.

If the same [$INDEX] rules are found in two bundle directories, the following 
precedence rules apply:
* attributes in $SPLUNK_HOME/etc/bundles/local/ are read first
* attributes in $SPLUNK_HOME/etc/bundles/default/ are read last
* attributes in the other directories in $SPLUNK_HOME/etc/bundles/ are loaded in alphabetical order by name.

Overriding is performed attribute by attribute, so if a specific
attribute is not specified in ../local/, but in another bundle,
it will be taken from that other bundle.

For indexes.conf, the possible attributes/value pairs, and their default values, are:

# Global options - These options affect every index. 
# IMPORTANT:  Changing these options can drastically affect your Splunk 
# installation. Consult Splunk Support (support@splunk.com) 
# before you attempt to modify anything other than the common attributes.  
# DO NOT change the attribute QueryLanguageDefinition without consulting 
# Splunk Support.

sync = <N non-negative number> (0)
  * The index processor will attempt to sync the index every N events. 
  * Set to 0 to disable (default).

maxQueryIds = <non-negative number> (10000000)
  * The maximum number of IDs a search will attempt to resolve in a single query. 
  * The default value (10000000) is a good value for 32bit systems.
  * You can raise this setting for 64bit installations with lots of RAM.

defaultDatabase = <database name> (main)
  * The database that will be used if no index is provided for a search.
  * Also the database that will be selected by default on the homepage.

queryLanguageDefinition = <path to file> ($SPLUNK_HOME/etc/searchLanguage.xml)
  * The path to the search language definition file.
  * DO NOT EDIT THIS SETTING.

#Per index options - These options may be specified under an [$INDEX] entry or at the root of the file to set default options for all the indexes. 

homePath = <path on server>
   * The path that contains the hot and warm databases and fields for the index. 
   * Databases that are warm have a handle open to them at all times in splunkd.

coldPath = <path on server>
   * The path that contains the cold databases for the index. 
   * Cold databases are opened as needed when searching.

thawedPath = <path on server>
   * The path that contains the thawed (resurrected) databases for the index.

maxResults = <non-negative number> (64 bit: 500k, 32 bit: 50k)
   * The maximum number of results to fetch for a query. 
   * This is a hard-cap for the maxresults search directive.

maxWarmDBCount = <non-negative number> (300)
   * The maximum number of warm db_N_N_N directories. 
   * All warm DBs are in the <homePath> for the index  
   * Warm DBs are kept in open state.

maxColdDBCount = <non-negative number> (10)
   * The maximum number of open cold databases at any given time.
   * THIS IS NOT the total number of cold databases. 
   * During search, splunkd keeps an LRU cache of all open cold DBs; this number controls the size of that cache.

maxTotalDataSizeMB = <non-negative number> (500000)
   * The maximum size of an index. 
   * If an index grows larger, the oldest data is frozen.

rotatePeriodInSecs = <non-negative number> (60)
   * Frequency for checking to see if a new hot DB needs to be created.
   * Also the frequency to check if there are any cold DBs that need to be frozen.

frozenTimePeriodInSecs = <non-negative number> (188697600)
   * This number controls when cold DBs roll to frozen.
   * The number of seconds after which indexed data should be erased 
   * Please note: every event in the DB must be older than frozenTimePeriodInSecs before it will roll.
   * frozenTimePeriodInSecs will be frozen the next time splunkd checks.

coldToFrozenScript = < <script file> $DIR > ( echo $DIR )
   * Must take in two variables: the script to run and the path to the directories that are being frozen. 
   * Splunk ships with two exporting scripts: 
     compressedExport.sh - Export files with the tsidx files compressed as gz
     flatfileExport.sh - Export files as a flat text file.

compressRawdata = <true|false> (true)
   * If set to true, Splunk writes raw data out as compressed gz files.
   * If set to false, Splunk will write data to an uncompressed raw file.

maxConcurrentOptimizes = <number of concurrent optimize processes that can be run>
   * The number of concurrent optimize processes that can be run against the hot slice.
   * This number should be increased if: 
     1. there are always many small tsidx files in the hot db
     2. after rolling, there are many tsidx files in warm or cold db

waitForOptimize = < 0 = no, !0 = yes > 
   * Wait to roll until optimize processes finish (!0) or just kill them (0).
   * If you are seeing a big pause while indexing or searching on roll set this to 0.

maxDataSize = <non-negative number> (750)
   * The number of MBs the hot DB is allowed to grow to before it is rolled out to warm.
   * Do not increase the default setting unless Splunk is running in 64bit mode. 
     
indexThreads = <non-negative number> (0)
   * The number of extra threads to use during indexing for this index. 
   * This number should not be set to higher than the number of processors in the box. 
   * If splunkd is also doing parsing and aggregation, the number should be lower than the total number of processors minus two.

maxMemMB = <non-negative number> (50)
   * The amount of memory to allocate for indexing. 
   * This amount of memory will be allocated PER INDEX THREAD.
   * OR If indexThreads is set to 0, once per index.
   * Please note:  make sure you calculate this number carefully.
    * splunkd will crash if you set this number higher than what is available.
    
# Advanced memory tuning parameters.  Do not alter these without contacting Splunk Support.  Use maxMemMB to control memory usage.

maxTermChars = <non-negative number> (2097152)
   
maxTerms = <non-negative number> (131072)
 
maxPostings = <non-negative number> (2097152)
 
maxValues = <non-negative number> (65536)

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# 

_actions = new,edit,delete

sync = 0
maxQueryIds = 10000000
defaultDatabase = main
queryLanguageDefinition = $SPLUNK_HOME/etc/searchLanguage.xml

maxWarmDBCount = 300
maxColdDBCount = 10
frozenTimePeriodInSecs = 188697600
rotatePeriodInSecs = 60
maxDataSize = 750
maxTermChars = 2097152
maxTerms = 131072
maxPostings = 2097152
maxValues = 65536
coldToFrozenScript = echo $DIR
compressRawdata = true
maxTotalDataSizeMB = 500000
indexThreads = 0 
maxMemMB = 50

[main]
homePath   = $SPLUNK_DB/defaultdb/db
coldPath   = $SPLUNK_DB/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
indexThreads = 1
# Max amount of physical memory (in megabytes) to use for a given index
maxMemMB = 200
maxDataSize = 10000

[splunklogger]
homePath   = $SPLUNK_DB/splunkloggerdb/db
coldPath   = $SPLUNK_DB/splunkloggerdb/colddb
thawedPath = $SPLUNK_DB/splunkloggerdb/thaweddb
maxDataSize = 10
frozenTimePeriodInSecs = 604800

[history]
homePath   = $SPLUNK_DB/historydb/db
coldPath   = $SPLUNK_DB/historydb/colddb
thawedPath = $SPLUNK_DB/historydb/thaweddb
maxDataSize = 10
frozenTimePeriodInSecs = 604800

[metaevents]
homePath   = $SPLUNK_DB/metaeventdb/db
coldPath   = $SPLUNK_DB/metaeventdb/colddb
thawedPath = $SPLUNK_DB/metaeventdb/thaweddb

[_internal]
homePath   = $SPLUNK_DB/_internaldb/db
coldPath   = $SPLUNK_DB/_internaldb/colddb
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
maxDataSize = 100
frozenTimePeriodInSecs = 604800

[_thefishbucket]
homePath   = $SPLUNK_DB/fishbucket/db
coldPath   = $SPLUNK_DB/fishbucket/colddb
thawedPath = $SPLUNK_DB/fishbucket/thaweddb
maxDataSize = 10
frozenTimePeriodInSecs = 604800