Size matters

When it comes to the sizing of indexes, it is important to allow appropriate extra or buffer space as Splunk, during normal processing, can sporadically exceed indexes' set maximum size. Again, configuring the sizes of indexes is done by editing the indexes.conf file.

Index-by-index attributes

You can set index sizes (using the maxTotalDataSizeMB attribute) in the indexes.conf file based on your knowledge of the data.

Bucket types

Index sizing can also be done using bucket types. A bucket is a location or folder on a disk that contains all or parts of a Splunk index. You can set a maximum size for all hot and warm buckets using the following syntax:

homePath.maxDataSizeMB = 10000

To set the maximum size for all cold bucket storage, you ...

Get Mastering Splunk now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Splunk by James Miller

Size matters

Index-by-index attributes

Bucket types

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly