Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are all those brackets inside indexes.conf?

wuming79
Path Finder
‎10-19-2017 06:34 PM

Hi,

Is there a documentation that explains what are [_internal], [introspection] , [_splunklogger], etc? I'm trying to understand how frozenTimePeriodInSecs affects what. Now I just change all frozenTimePeriodInSecs under all square brackets to set my retirement policy there should be a result why there are so many square brackets there?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-19-2017 07:02 PM

The documentation for indexes.conf will provide you answers for each of the configuration values.

The name between the square brackets in indexes.conf defines an index. _internal, _introspection, etc. are all internal indices that are configured by default in Splunk. You can create your own indices, either via the UI, the CLI, REST API or by editing indexes.conf directly.
This is documented in good detail here.

frozenTimePeriodInSecs is set to 6 years by default (in $SPLUNK_HOME/etc/system/default/indexes.conf). You can override it to fit your needs, either per index, or define your own global value. Do all of this either in $SPLUNK_HOME/etc/system/local/indexes.conf or create a custom app folder under .../etc/apps/myIndexDefs and put your definitions there. Never edit any files in any folders that have default in the name or your changes will be overwritten during the next Splunk upgrade.

I think giving this a good read may make things a little clearer.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-19-2017 06:59 PM

Hi wuming79,

those are called stanzas and represent the start of configuration sections, everything after a stanza until the next stanza applies to it.
Find a detailed explanation here http://docs.splunk.com/Splexicon:Stanza

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...