Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are all those brackets inside indexes.conf?

wuming79
Path Finder
‎10-19-2017 06:34 PM

Hi,

Is there a documentation that explains what are [_internal], [introspection] , [_splunklogger], etc? I'm trying to understand how frozenTimePeriodInSecs affects what. Now I just change all frozenTimePeriodInSecs under all square brackets to set my retirement policy there should be a result why there are so many square brackets there?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-19-2017 06:59 PM

Hi wuming79,

those are called stanzas and represent the start of configuration sections, everything after a stanza until the next stanza applies to it.
Find a detailed explanation here http://docs.splunk.com/Splexicon:Stanza

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top