Archive

names of internal indexes "_audit" and "_thefishbucket"

zella
Explorer

I have confusion around the names of these internal indexes.

I was always taught to set up my stanzas in my indexes.conf to "_audit" and "_thefishbucket".

But upon examining a fresh install of Splunk without having set up indexes.conf yet, I noticed that under /$SPLUNK_HOME/var/lib/splunk, the indexes are listed as "audit" and "fishbucket" without the underscores or "the" in front of fishbucket.

So which is correct? If I tell my indexes.conf to set up a path to /var/lib/splunk/_thefishbucket and /var/lib/splunk/_audit, wouldn't it just make a new directory that isn't associated with the Splunk internal directories?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zella,
when you speak of audit, the physical folder is _audit, when you speak of _thefishbucket, the physical folder is fishbucket, at the same time there's a folder called defaultdb, that's main index.
I don't know wht there are these differences between names and physical folders and why sometimes they used _ and sometimes not, but these are the names of internal indexes.

Anyway, they are internal Splunk indexes, so don't touch them and if you want to change retention or dimension copy the stanza from the default folder to the local folder to be more sure to use the correct one.

Ciao and Merry Christmas.
Giuseppe

0 Karma