Hi. I need to add some limits to retention in my indexes.conf file on several indexers.
The documentation suggests that the best place for the indexes.conf to reside is in $SPLUNK_HOME/etc/system/local
It looks like whomever build our Indexers put indexes.conf in $SPLUNK_HOME/etc/apps/search/local
This tells me that the indexes.conf is valid only for the search app...though I'm not sure that this matters.
Also, when I use the CLI to add a new index, it adds them to the latter location, not etc/system/local
So my questions are twofold:
* Why would we be directed to store index info in etc/system/local if Splunk's own CLI-based tool adds the data to etc/apps/search/local?
* Would there be either a benefit or a drawback to moving indexes.conf to etc/system/local?
Where possible, I would like to keep our implementation of Splunk as close to the documented methods as possible, but the actual "best practice" here is a little hard to determine.
Thoughts / advice?
Thanks!
When you are working in the Splunk GUI, you are always working in the context of an app. Even when you go into the Manager section, you are still in an app context. You can see what the context is if you look in the upper left corner of the screen - it will say "Return to XXX". XXX is your current app.
So, whatever you do (like creating a new index) via the GUI will be stored in
$SPLUNK_HOME/etc/apps/XXX/local
within the appropriate configuration file.
This is expected behavior. For index-time configurations, like indexes.conf, the only effect of the configuration file location is precedence. Precedence is only important if you define the same thing in two different places - which version takes precedence? (Look it up here if you care.) If you only have one copy of indexes.conf, it doesn't matter where you put it. There is no benefit to one location over another.
If you are creating indexes.conf by hand, you might as well put it in $SPLUNK_HOME/etc/system/local
. The documentation tends to offer specific advice instead of a long explanation (like this one), because it gets things working faster and is usually less confusing.
When you are working in the Splunk GUI, you are always working in the context of an app. Even when you go into the Manager section, you are still in an app context. You can see what the context is if you look in the upper left corner of the screen - it will say "Return to XXX". XXX is your current app.
So, whatever you do (like creating a new index) via the GUI will be stored in
$SPLUNK_HOME/etc/apps/XXX/local
within the appropriate configuration file.
This is expected behavior. For index-time configurations, like indexes.conf, the only effect of the configuration file location is precedence. Precedence is only important if you define the same thing in two different places - which version takes precedence? (Look it up here if you care.) If you only have one copy of indexes.conf, it doesn't matter where you put it. There is no benefit to one location over another.
If you are creating indexes.conf by hand, you might as well put it in $SPLUNK_HOME/etc/system/local
. The documentation tends to offer specific advice instead of a long explanation (like this one), because it gets things working faster and is usually less confusing.
Very valuable answer. The documentation for file precedence has been moved please find it here for the Enterprise 7.0.2 http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Wheretofindtheconfigurationfiles