Documentation: 3.3
Print Version Contents
This page last updated: 07/02/08 02:07pm

indexes.conf

Indexes.conf controls index settings including archiving, retirement, path and tuning parameters.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/system/local/indexes.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/system/README/indexes.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/system/default or your changes may be overwritten in an upgrade.

indexes.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for an indexes.conf file.  Use this file to configure 
# Splunk's indexes and their properties.
#
# There is an indexes.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an indexes.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 
# indexes.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.
#
# CAUTION:  You can drastically affect your Splunk installation by changing these settings.  
# Consult technical support (support@splunk.com) if you are not sure how to configure this file.
#
# DO NOT change the attribute QueryLanguageDefinition without consulting technical support.

#****************************************************************************** 
# GLOBAL OPTIONS
# These options affect every index
#****************************************************************************** 

sync = <N non-negative number>
        * The index processor attempts to sync the index every N events. 
        * Set to 0 to disable.
        * Defaults to 0.

maxQueryIds = <non-negative number>
        * The maximum number of IDs a search attempts to resolve in a single query. 
        * Defaults to 10000000.
                * This is a good value for 32 bit systems.
                * You can raise this setting for 64bit installations with lots of RAM.

defaultDatabase = <database name>
        * If no index is specified during search, Splunk searches default database. 
        * Also the database displays by default on the homepage.
        * Defaults to main.
        
queryLanguageDefinition = <path to file>
        * The path to the search language definition file.
        * DO NOT EDIT THIS SETTING.
        * Defaults to $SPLUNK_HOME/etc/searchLanguage.xml.

blockSignatureDatabase = <database name>
        * This is the database that stores block signatures of events.
        * Defaults to _blocksignature.

#******************************************************************************
# PER INDEX OPTIONS
# These options may be set under an [$INDEX] entry 
#******************************************************************************

homePath = <path on server>
        * The path that contains the hot and warm databases and fields for the index. 
        * Databases that are warm have a handle open to them at all times in splunkd.
        * CAUTION: Path MUST be writable.

coldPath = <path on server>
        * The path that contains the cold databases for the index. 
        * Cold databases are opened as needed when searching.
        * CAUTION: Path MUST be writable.
        
thawedPath = <path on server>
        * The path that contains the thawed (resurrected) databases for the index.

# The following options can be set either per index or at the top of the file as defaults for all indexes.
# Defaults set at the top of the file are overridden if set on a per-index basis.

maxResults = <non-negative number>
        * The maximum number of results to fetch for a query. 
        * This is a hard-cap for the maxresults search directive.
        * Defaults to  500000 for 64 bit; 50000 for 32 bit.

maxWarmDBCount = <non-negative number>
        * The maximum number of warm db_N_N_N directories.
        * All warm DBs are in the <homePath> for the index. 
        * Warm DBs are kept in open state.
        * Defaults to 300.

maxColdDBCount = <non-negative number>
        * The maximum number of open cold databases at any given time.
        * THIS IS NOT the total number of cold databases. 
        * During search, splunkd keeps an LRU cache of all open cold DBs; 
     this number controls the size of that cache.
    * Defaults to 10.

maxTotalDataSizeMB = <non-negative number>
        * The maximum size of an index (in MB). 
        * If an index grows larger, the oldest data is frozen.
        * Defaults to 500000.

rotatePeriodInSecs = <non-negative number>
        * Frequency for checking to see if a new hot DB needs to be created.
        * Also the frequency to check if there are any cold DBs that need to be frozen.
        * Defaults to 60.

frozenTimePeriodInSecs = <non-negative number>
        * This number controls when cold DBs roll to frozen.
        * It is the number of seconds after which indexed data should be erased.
        * IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs before it will roll.
        * frozenTimePeriodInSecs will be frozen the next time splunkd checks.
        * Defaults to 188697600.

warmToColdScript = <$script> 
    * Specify a script to run when moving data from warm to cold. 
    * The script must accept two variables:
       * first, the warm directory to be rolled to cold.
       * second, the destination in the cold path.
    * You only need to set this if you store warm and cold dbs on separate partitions.
    * Please contact Splunk Support if you need help configuring this setting.
    * Defaults to empty.

coldToFrozenScript = <$script> <$DIR (optional)>
        * Must take in two variables:  the script to run and $DIR.
         * NOTE: Do not set $DIR.  The script will set it.  $DIR is optional.
        * Splunk ships with two exporting scripts: 
     compressedExport.sh - Export with tsidx files compressed as gz.
     flatfileExport.sh - Export as a flat text file.
    * Defaults to echo $DIR.

compressRawdata = <true|false>
        * If set to true, Splunk writes raw data out as compressed gz files.
        * If set to false, Splunk will write data to an uncompressed raw file.
        * Defaults to true.

maxConcurrentOptimizes = <number of concurrent optimize processes that can be run>
        * The number of concurrent optimize processes that can be run against the hot DB.
        * This number should be increased if: 
     1. There are always many small tsidx files in the hot db.
     2. After rolling, there are many tsidx files in warm or cold db.

waitForOptimize = < 0 = no, !0 = yes > 
        * Wait to roll until optimize processes finish (!0) or just kill them (0).
        * If you are seeing a big pause in indexing or searching during rolling set this to 0.

maxDataSize = <non-negative number>
        * The maximum size in MBs of the hot DB.
        * The hot DB will grow to this size before it is rolled out to warm.
        * Do not increase the default setting unless Splunk is running in 64bit mode.
        * Defaults to 750.
     
indexThreads = <non-negative number>
   * The number of extra threads to use during indexing. 
   * This number should not be set higher than the number of processors in the box. 
   * If splunkd is also doing parsing and aggregation, the number should be lower than the total 
    number of processors minus two.
   * Defaults to 0.

maxMemMB = <non-negative number>
   * The amount of memory to allocate for indexing. 
   * This amount of memory will be allocated PER INDEX THREAD.
   * OR If indexThreads is set to 0, once per index.
   * IMPORTANT:  Calculate this number carefully.
    * splunkd will crash if you set this number higher than what is available.
   * Defaults to 50.
   
blockSignSize = <non-negative number>
   * Controls how many events make up a block for block signatures. 
   * If it is set to 0 block signing is disabled for this index.
   * Defaults to 0.
   
#******************************************************************************    
# Advanced memory tuning parameters.  Do not alter these without contacting Splunk Support. 
# Use maxMemMB to control memory usage.
#******************************************************************************

maxTermChars = <non-negative number>
        * Defaults to 2097152.
   
maxTerms = <non-negative number> 
        * Defaults to 131072.
 
maxPostings = <non-negative number> 
        * Defaults to 2097152.
 
maxValues = <non-negative number> 
        * Defaults to 65536.

indexes.conf.example

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example indexes.conf.  Use this file to configure indexing properties.
#
# To use one or more of these configurations, copy the configuration block into
# indexes.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to 
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.
#

# The following example sets up a new default index, called "hatch."

defaultDatabase = hatch

[hatch]

homePath   = $SPLUNK_DB/hatchdb/db
coldPath   = $SPLUNK_DB/hatchdb/colddb
thawedPath = $SPLUNK_DB/hatchdb/thaweddb
indexThreads = 1
# Max amount of physical memory (in megabytes) to use for a given index
maxMemMB = 200
maxDataSize = 10000

# The following example changes the default amount of space and memory Splunk's indexes use.

maxTotalDataSizeMB = 650000
maxMemMB = 75

# The following example changes the time data is kept around by default.
# It also sets an export script.  NOTE: You must edit this script to set export location before 
# running it.

maxWarmDBCount = 200
maxColdDBCount = 5
frozenTimePeriodInSecs = 432000
rotatePeriodInSecs = 30
coldToFrozenScript = /opt/bin/compressedExport.sh
Previous: fields.conf    |    Next: inputs.conf

Comments

No comments have been submitted.

Log in to comment.