Databases Reference
In-Depth Information
Splunk indexer
In most deployments, indexers handle both parsing and indexing of events. If there
is only one Splunk indexer, the search is typically handled on this server as well.
An
indexer
, as the name implies, indexes the data. It needs direct access to fast disks,
whether they are local disks, SANs, or network volumes.
In my experience,
NFS
does not work reliably for storing Splunk
indexes or files. Splunk expects its disks to act like a local disk, which,
at times, NFS does not. It is fine to read logs from NFS.
iSCSI
works
very well for indexers, as does
SAN
.
The configurations that typically matter to a Splunk indexer are:
•
inputs.conf
: This configuration typically has exactly one input,
[splunktcp://9997]
. This stanza instructs the indexer to listen for
connections from Splunk forwarders on port 9997.
•
indexes.conf
: This configuration specifies where to place indexes and
how long to keep data. By default:
° all data will be written to
$SPLUNK_HOME/var/lib/splunk
° the index will grow to a maximum size of 500 gigabytes before
dropping the oldest events
° the index will retain events for a maximum of six years before
dropping the oldest events
Events will be dropped when either limit is reached. We will discuss
changing these values under the
Sizing indexers
section.
•
props.conf
and
transforms.conf
: If the indexer handles parsing, these
configurations control how the data stream is broken into events, how the
date is parsed, and what indexed fields are created, if any.
•
server.conf
: This contains the license server address.
See the
Sizing indexers
section for a discussion about how
many indexers you might need.
Search WWH ::
Custom Search