Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Understanding Indexes.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understanding Indexes.conf
Hello guys,
I would like to understand if i have any misconfiguration on my indexes files, and for how long do i keep logs online, archived and when they are deleted (since my HDD is getting full quickly):
[default]
suppressBannerList =
frozenTimePeriodInSecs = 15778463
throttleCheckPeriod = 15
quarantineFutureSecs = 2592000
partialServiceMetaPeriod = 0
serviceOnlyAsNeeded = true
maxHotBuckets = 3
enableOnlineBucketRepair = true
bucketRebuildMemoryHint = auto
maxRunningProcessGroups = 8
maxDataSize = auto
maxWarmDBCount = 300
assureUTF8 = false
maxHotIdleSecs = 0
enableRealtimeSearch = true
serviceMetaPeriod = 25
repFactor = 0
maxConcurrentOptimizes = 3
maxHotSpanSecs = 7776000
maxTimeUnreplicatedWithAcks = 60
syncMeta = true
coldToFrozenDir =
maxRunningProcessGroupsLowPriority = 1
serviceSubtaskTimingPeriod = 30
quarantinePastSecs = 77760000
rawChunkSizeBytes = 131072
sync = 0
maxBucketSizeCacheEntries = 1000000
coldToFrozenScript = "/opt/splunk/bin/python" "/opt/splunk/bin/coldToFrozen.py"
rotatePeriodInSecs = 60
memPoolMB = auto
defaultDatabase = main
enableDataIntegrityControl = true
minRawFileSyncSecs = disable
compressRawdata = true
maxMetaEntries = 1000000
maxBloomBackfillBucketAge = 30d
maxTotalDataSizeMB = 500000
maxTimeUnreplicatedNoAcks = 300
[_audit]
coldPath = $SPLUNK_DB/audit/colddb
homePath = $SPLUNK_DB/audit/db
thawedPath = $SPLUNK_DB/audit/thaweddb
[_internal]
frozenTimePeriodInSecs = 2419200
homePath = $SPLUNK_DB/_internaldb/db
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
maxDataSize = 100
coldPath = $SPLUNK_DB/_internaldb/colddb
[_thefishbucket]
frozenTimePeriodInSecs = 2419200
homePath = $SPLUNK_DB/fishbucket/db
thawedPath = $SPLUNK_DB/fishbucket/thaweddb
maxDataSize = 10
coldPath = $SPLUNK_DB/fishbucket/colddb
[history]
frozenTimePeriodInSecs = 604800
homePath = $SPLUNK_DB/historydb/db
thawedPath = $SPLUNK_DB/historydb/thaweddb
maxDataSize = 10
coldPath = $SPLUNK_DB/historydb/colddb
[main]
maxDataSize = auto_high_volume
homePath = $SPLUNK_DB/defaultdb/db
maxHotBuckets = 10
coldPath = $SPLUNK_DB/defaultdb/colddb
maxHotIdleSecs = 86400
maxConcurrentOptimizes = 6
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
[splunklogger]
coldPath = $SPLUNK_DB/splunklogger/colddb
disabled = true
homePath = $SPLUNK_DB/splunklogger/db
thawedPath = $SPLUNK_DB/splunklogger/thaweddb
[summary]
coldPath = $SPLUNK_DB/summarydb/colddb
homePath = $SPLUNK_DB/summarydb/db
thawedPath = $SPLUNK_DB/summarydb/thaweddb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like an exact copy of the default indexes conf with some added/changed values. And you seem to not know what you are doing.
Anyway. So... I'm assuming you are currently storing all your data in the "main" index.
This means that here the [default] frozenTimePeriodInSecs = 15778463 applies to the retention time. Which is approx. 182 days.
How to fix this:
go to the $SPLUNK_HOME directory (under linux it's /opt/splunk/)
Navigate from there to /opt/splunk/etc/system/local/
Create a file called "indexes.conf"
Write the following:
[main]
frozenTimePeriodInSecs = 604800
Save and restart splunk. Now the data in the main index will be saved for only 7 days instead of 182.
If you wanna know more about what indexes.conf does and what the parameters do, look here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Indexesconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alvaroveiga, please keep in mind that the twin configuration parameter of frozenTimePeriodInSecs is maxTotalDataSizeMB which as we can see on line #39 has the default of 500000 MBs, around 1/2 TB.
Together they control the size of the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Read these post about how Splunk's data rentention policy works and what all indexes.conf parameters are used in setting them. Once you know about how it's implemented, you'd be able to read and understand your indexes.conf values.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Setaretirementandarchivingpolicy
https://wiki.splunk.com/Deploy:BucketRotationAndRetention
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Data Management Digest – May 2026
Index This | What is feather-light but cannot be held long?
.conf26 Registration is Live: Secure Your Early Bird Pass Now
