Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are all those brackets inside indexes.conf?

wuming79
Path Finder
‎10-19-2017 06:34 PM

Hi,

Is there a documentation that explains what are [_internal], [introspection] , [_splunklogger], etc? I'm trying to understand how frozenTimePeriodInSecs affects what. Now I just change all frozenTimePeriodInSecs under all square brackets to set my retirement policy there should be a result why there are so many square brackets there?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-19-2017 06:59 PM

Hi wuming79,

those are called stanzas and represent the start of configuration sections, everything after a stanza until the next stanza applies to it.
Find a detailed explanation here http://docs.splunk.com/Splexicon:Stanza

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...