Working with multiple indexes

An index in Splunk is a storage pool for events, capped by size, time, or both. By default, all events will go to the index specified by defaultDatabase, which is called main but lives in a directory called defaultdb.

The directory structure of an index

Each index occupies a set of directories on the disk. By default, these directories live in $SPLUNK_DB, which, by default, is located in $SPLUNK_HOME/var/lib/splunk.

Look at the following stanza for the main index:

[main]
homePath = $SPLUNK_DB/defaultdb/db
coldPath = $SPLUNK_DB/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume

If our Splunk installation lives at /opt/splunk, the index main ...

Get Implementing Splunk - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Implementing Splunk - Second Edition by Vincent Bumgarner, James D Miller

Working with multiple indexes

The directory structure of an index

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly