Databases Reference
In-Depth Information
If our Splunk installation lives at
/opt/splunk
, the index
main
is rooted at the path
/opt/splunk/var/lib/splunk/defaultdb
.
To change your storage location, either modify the value of
SPLUNK_DB
in
$SPLUNK_HOME/etc/splunk-launch.conf
or set absolute paths in
indexes.conf
.
splunk-launch.conf
cannot be controlled from an app, which
means it is easy to forget when adding indexers. For this reason, and for
legibility, I would recommend using absolute paths in
indexes.conf
.
The
homePath
directories contain index-level metadata, hot buckets, and warm
buckets.
coldPath
contains cold buckets, which are simply warm buckets that
have aged out. See the upcoming sections
The lifecycle of a bucket
and
Sizing an
index
for details.
When to create more indexes
There are several reasons for creating additional indexes. If your needs do not
meet one of these requirements, there is no need to create more indexes. In fact,
multiple indexes may actually hurt performance if a single query needs to open
multiple indexes.
Testing data
If you do not have a test environment, you can use test indexes for staging new
data. This then allows you to easily recover from mistakes by dropping the
test index. Since Splunk will run on a desktop, it is probably best to test new
configurations locally, if possible.
Differing longevity
It may be the case that you need more history for some source types than others.
The classic example here is security logs, as compared to web access logs. You may
need to keep security logs for a year or more but only need web access logs for a
couple of weeks.
If these two source types are left in the same index, security events will be stored
in the same buckets as web access logs and will age out together. To split these
events up, you need to perform the following steps:
1. Create a new index called
security
, for instance.
2. Define different settings for the
security
index.
3.
Update
inputs.conf
to use the new index for security source types.
Search WWH ::
Custom Search