Configuring indexes

Splunk will allow you to set the location (path) to your nonclustered indexes using Splunk Web, but the majority of the configurations must be done by editing the indexes.conf file (for this discussion, we will stick to nonclustered indexes).

The indexes.conf file should be saved at $SPLUNK_HOME/etc/system/local/ or in a custom app directory, in $SPLUNK_HOME/etc/apps/.

The following are the most interesting index configuration attributes (you can use the product documentation to review the full list):

homePath, coldPath, and thawedPath: These attributes are all required settings. These indicate where Splunk will place the index buckets (hot/warm are stored in home, cold in cold, and thawed in thawed). The ColdToFrozenDir attribute ...

Get Mastering Splunk now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Splunk by James Miller

Configuring indexes

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly