Documentation: 3.2.3
Print Version Contents
This page last updated: 04/11/08 04:04pm

indexes.conf

Indexes.conf controls index settings including archiving, retirement, path and tuning parameters.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/indexes.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/indexes.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

indexes.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for an indexes.conf file.  Use this file to configure 
# Splunk's indexes and their properties.
#
# There is an indexes.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place an indexes.conf in your own custom bundle directory.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
#
# IMPORTANT:  You can drastically affect your Splunk installation by changing these settings.  
# Consult technical support (support@splunk.com) if you are not sure how to configure this file.
#
# DO NOT change the attribute QueryLanguageDefinition without consulting technical support.

#******************************************************************************    
# GLOBAL OPTIONS
# These options affect every index
#******************************************************************************    

sync = <N non-negative number>
    * The index processor will attempt to sync the index every N events. 
    * Set to 0 to disable.
    * Defaults to 0.

maxQueryIds = <non-negative number>
      * The maximum number of IDs a search will attempt to resolve in a single query. 
       * Defaults to 10000000.
          * This is a good value for 32 bit systems.
        * You can raise this setting for 64bit installations with lots of RAM.

defaultDatabase = <database name>
      * If no index is specified during search, Splunk searches default database. 
      * Also the database displays by default on the homepage.
      * Defaults to main.
      
queryLanguageDefinition = <path to file>
      * The path to the search language definition file.
      * DO NOT EDIT THIS SETTING.
      * Defaults to $SPLUNK_HOME/etc/searchLanguage.xml.

blockSignatureDatabase = <database name>
      * This is the database that will be used to store block signatures of events
      * Defaults to _blocksignature.

#******************************************************************************
# PER INDEX OPTIONS
# These options may be set under an [$INDEX] entry 
#******************************************************************************

homePath = <path on server>
       * The path that contains the hot and warm databases and fields for the index. 
       * Databases that are warm have a handle open to them at all times in splunkd.
       * CAUTION: Path MUST be writable.

coldPath = <path on server>
       * The path that contains the cold databases for the index. 
       * Cold databases are opened as needed when searching.
       * CAUTION: Path MUST be writable.
       
thawedPath = <path on server>
       * The path that contains the thawed (resurrected) databases for the index.

# The following options can be set either per index or at the top of the file as defaults for all indexes.
# Defaults set at the top of the file are overridden if set on a per-index basis.

maxResults = <non-negative number>
       * The maximum number of results to fetch for a query. 
       * This is a hard-cap for the maxresults search directive.
       * Defaults to  500000 for 64 bit; 50000 for 32 bit.

maxWarmDBCount = <non-negative number>
       * The maximum number of warm db_N_N_N directories.
       * All warm DBs are in the <homePath> for the index. 
       * Warm DBs are kept in open state.
       * Defaults to 300.

maxColdDBCount = <non-negative number>
       * The maximum number of open cold databases at any given time.
       * THIS IS NOT the total number of cold databases. 
       * During search, splunkd keeps an LRU cache of all open cold DBs; 
     this number controls the size of that cache.
    * Defaults to 10.

maxTotalDataSizeMB = <non-negative number>
       * The maximum size of an index (in MB). 
       * If an index grows larger, the oldest data is frozen.
       * Defaults to 500000.

rotatePeriodInSecs = <non-negative number>
       * Frequency for checking to see if a new hot DB needs to be created.
       * Also the frequency to check if there are any cold DBs that need to be frozen.
       * Defaults to 60.

frozenTimePeriodInSecs = <non-negative number>
      * This number controls when cold DBs roll to frozen.
       * It is the number of seconds after which indexed data should be erased.
       * IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs before it will roll.
       * frozenTimePeriodInSecs will be frozen the next time splunkd checks.
       * Defaults to 188697600.

warmToColdScript = <$script> 
    * Specify a script to run when moving data from warm to cold. 
    * The script must accept two variables:
       * first, the warm directory to be rolled to cold.
       * second, the destination in the cold path.
    * You only need to set this if you store warm and cold dbs on separate paritions.
    * Please contact Splunk Support if you need help configuring this setting.
    * Defaults to empty.

coldToFrozenScript = <$script $DIR>
      * Must take in two variables:  the script to run and the path to the directories to be frozen. 
       * Splunk ships with two exporting scripts: 
     compressedExport.sh - Export with tsidx files compressed as gz.
     flatfileExport.sh - Export as a flat text file.
    * Defaults to (echo $DIR).

compressRawdata = <true|false>
       * If set to true, Splunk writes raw data out as compressed gz files.
       * If set to false, Splunk will write data to an uncompressed raw file.
       * Defaults to true.

maxConcurrentOptimizes = <number of concurrent optimize processes that can be run>
       * The number of concurrent optimize processes that can be run against the hot DB.
       * This number should be increased if: 
     1. There are always many small tsidx files in the hot db.
     2. After rolling, there are many tsidx files in warm or cold db.

waitForOptimize = < 0 = no, !0 = yes > 
       * Wait to roll until optimize processes finish (!0) or just kill them (0).
       * If you are seeing a big pause in indexing or searching during rolling set this to 0.

maxDataSize = <non-negative number>
       * The maximum size in MBs of the hot DB.
    * The hot DB will grow to this size before it is rolled out to warm.
       * Do not increase the default setting unless Splunk is running in 64bit mode.
       * Defaults to 750.
     
indexThreads = <non-negative number>
   * The number of extra threads to use during indexing. 
   * This number should not be set higher than the number of processors in the box. 
   * If splunkd is also doing parsing and aggregation, the number should be lower than the total 
    number of processors minus two.
   * Defaults to 0.

maxMemMB = <non-negative number>
   * The amount of memory to allocate for indexing. 
   * This amount of memory will be allocated PER INDEX THREAD.
   * OR If indexThreads is set to 0, once per index.
   * IMPORTANT:  Calculate this number carefully.
    * splunkd will crash if you set this number higher than what is available.
   * Defaults to 50.
   
blockSignSize = <non-negative number>
   * Controls how many events make up a block for block signatures. 
   * If it is set to 0 block signing is disabled for this index.
   * Defaults to 0.
   
#******************************************************************************    
# Advanced memory tuning parameters.  Do not alter these without contacting Splunk Support. 
# Use maxMemMB to control memory usage.
#******************************************************************************

maxTermChars = <non-negative number>
     * Defaults to 2097152.
   
maxTerms = <non-negative number> 
    * Defaults to 131072.
 
maxPostings = <non-negative number> 
    * Defaults to 2097152.
 
maxValues = <non-negative number> 
    * Defaults to 65536.

indexes.conf.example

# This file contains an example indexes.conf.  Use this file to configure indexing properties.
#
# There is an indexes.conf in the default directory ($SPLUNK_HOME/etc/bundles/default/). 
# To set custom configurations, place an indexes.conf in your own custom bundle directory.

# The following example sets up a new default index, called "hatch."

defaultDatabase = hatch

[hatch]

homePath   = $SPLUNK_DB@OsDirSep@hatchdb@OsDirSep@db
coldPath   = $SPLUNK_DB@OsDirSep@hatchdb@OsDirSep@colddb
thawedPath = $SPLUNK_DB@OsDirSep@hatchdb@OsDirSep@thaweddb
indexThreads = 1
# Max amount of physical memory (in megabytes) to use for a given index
maxMemMB = 200
maxDataSize = 10000

# The following example changes the default amount of space and memory Splunk's indexes use.

maxTotalDataSizeMB = 650000
maxMemMB = 75

# The following example changes the time data is kept around by default.
# It also sets an export script.  NOTE: You must edit this script to set export location before 
# running it.

maxWarmDBCount = 200
maxColdDBCount = 5
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenScript = compressedExport.sh
Previous: field_actions.conf    |    Next: inputs.conf

Comments

No comments have been submitted.

Log in to comment.