Getting Data In

indexes.conf location

Sqig
Path Finder

Hi. I need to add some limits to retention in my indexes.conf file on several indexers.

The documentation suggests that the best place for the indexes.conf to reside is in $SPLUNK_HOME/etc/system/local

It looks like whomever build our Indexers put indexes.conf in $SPLUNK_HOME/etc/apps/search/local

This tells me that the indexes.conf is valid only for the search app...though I'm not sure that this matters.

Also, when I use the CLI to add a new index, it adds them to the latter location, not etc/system/local

So my questions are twofold:
* Why would we be directed to store index info in etc/system/local if Splunk's own CLI-based tool adds the data to etc/apps/search/local?
* Would there be either a benefit or a drawback to moving indexes.conf to etc/system/local?

Where possible, I would like to keep our implementation of Splunk as close to the documented methods as possible, but the actual "best practice" here is a little hard to determine.

Thoughts / advice?

Thanks!

Tags (1)
1 Solution

lguinn2
Legend

When you are working in the Splunk GUI, you are always working in the context of an app. Even when you go into the Manager section, you are still in an app context. You can see what the context is if you look in the upper left corner of the screen - it will say "Return to XXX". XXX is your current app.

So, whatever you do (like creating a new index) via the GUI will be stored in

$SPLUNK_HOME/etc/apps/XXX/local within the appropriate configuration file.

This is expected behavior. For index-time configurations, like indexes.conf, the only effect of the configuration file location is precedence. Precedence is only important if you define the same thing in two different places - which version takes precedence? (Look it up here if you care.) If you only have one copy of indexes.conf, it doesn't matter where you put it. There is no benefit to one location over another.

If you are creating indexes.conf by hand, you might as well put it in $SPLUNK_HOME/etc/system/local. The documentation tends to offer specific advice instead of a long explanation (like this one), because it gets things working faster and is usually less confusing.

View solution in original post

lguinn2
Legend

When you are working in the Splunk GUI, you are always working in the context of an app. Even when you go into the Manager section, you are still in an app context. You can see what the context is if you look in the upper left corner of the screen - it will say "Return to XXX". XXX is your current app.

So, whatever you do (like creating a new index) via the GUI will be stored in

$SPLUNK_HOME/etc/apps/XXX/local within the appropriate configuration file.

This is expected behavior. For index-time configurations, like indexes.conf, the only effect of the configuration file location is precedence. Precedence is only important if you define the same thing in two different places - which version takes precedence? (Look it up here if you care.) If you only have one copy of indexes.conf, it doesn't matter where you put it. There is no benefit to one location over another.

If you are creating indexes.conf by hand, you might as well put it in $SPLUNK_HOME/etc/system/local. The documentation tends to offer specific advice instead of a long explanation (like this one), because it gets things working faster and is usually less confusing.

ipapa_splunk
Splunk Employee
Splunk Employee

Very valuable answer. The documentation for file precedence has been moved please find it here for the Enterprise 7.0.2 http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Wheretofindtheconfigurationfiles

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...