An index in Splunk is a storage pool for events, capped by size, time, or both. By default, all events will go to the index specified by
defaultDatabase, which is called main but lives in a directory called
Each index occupies a set of directories on the disk. By default, these directories live in
$SPLUNK_DB, which, by default, is located in
Look at the following stanza for the
[main] homePath = $SPLUNK_DB/defaultdb/db coldPath = $SPLUNK_DB/defaultdb/colddb thawedPath = $SPLUNK_DB/defaultdb/thaweddb maxHotIdleSecs = 86400 maxHotBuckets = 10 maxDataSize = auto_high_volume
If our Splunk installation lives at
/opt/splunk, the index main ...