After a restart, is there a way to configure which...

chrisboy68 · ‎10-30-2015

HI,

I have a few large directories that take a long time for Splunk to start indexing after a restart. Is there an ability to provide a priority on which stanzas Splunk should start indexing first over others? Some of my file monitoring stanzas are nice to have and others are critical. I would like to see the Criticals indexed first.

Thank you,

Chris

woodcock · ‎10-30-2015

I am pretty sure that it is done alphabetically but in any case, however you find that it is done, I am sure there is no way to control it. Once you figure out how exactly splunk orders it's work, you can exploit this by using directory links. If this is *nix, you use ln -fs. Then you modify your inputs.conf to use the new path. For example, assuming alphabetical processing, lets say your existing structure is like this:

/etc/mydir/priority3.log <-indexing first
/opt/mydir/priority1.log <- indexing second
/var/logs/priority2.log <- indexing third

You would do this to fix:

mkdir /splunkprioritization/
ln -fs /opt/mydir/ /splunkprioritization/priority1/
ln -fs /var/logs/ /splunkprioritization/priority2/
ln -fs /etc/mydir/ /splunkprioritization/priority3/

Then modify your inputs.conf accordingly to swap out the old paths with the new paths.

After a restart, is there a way to configure which monitor stanzas Splunk should start processing first to prioritize what gets indexed?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

After a restart, is there a way to configure which monitor stanzas Splunk should start processing first to prioritize what gets indexed?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine