Monitoring Splunk

names of internal indexes "_audit" and "_thefishbucket"

zella
Explorer

I have confusion around the names of these internal indexes.

I was always taught to set up my stanzas in my indexes.conf to "_audit" and "_thefishbucket".

But upon examining a fresh install of Splunk without having set up indexes.conf yet, I noticed that under /$SPLUNK_HOME/var/lib/splunk, the indexes are listed as "audit" and "fishbucket" without the underscores or "the" in front of fishbucket.

So which is correct? If I tell my indexes.conf to set up a path to /var/lib/splunk/_thefishbucket and /var/lib/splunk/_audit, wouldn't it just make a new directory that isn't associated with the Splunk internal directories?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zella,
when you speak of audit, the physical folder is _audit, when you speak of _thefishbucket, the physical folder is fishbucket, at the same time there's a folder called defaultdb, that's main index.
I don't know wht there are these differences between names and physical folders and why sometimes they used _ and sometimes not, but these are the names of internal indexes.

Anyway, they are internal Splunk indexes, so don't touch them and if you want to change retention or dimension copy the stanza from the default folder to the local folder to be more sure to use the correct one.

Ciao and Merry Christmas.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...