Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What are all those brackets inside indexes.conf?

wuming79
Path Finder
‎10-19-2017 06:34 PM

Hi,

Is there a documentation that explains what are [_internal], [introspection] , [_splunklogger], etc? I'm trying to understand how frozenTimePeriodInSecs affects what. Now I just change all frozenTimePeriodInSecs under all square brackets to set my retirement policy there should be a result why there are so many square brackets there?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-19-2017 06:59 PM

Hi wuming79,

those are called stanzas and represent the start of configuration sections, everything after a stanza until the next stanza applies to it.
Find a detailed explanation here http://docs.splunk.com/Splexicon:Stanza

Hope this helps ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...