Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

names of internal indexes "_audit" and "_thefishbucket"

zella
Explorer
‎12-23-2019 06:18 AM

I have confusion around the names of these internal indexes.

I was always taught to set up my stanzas in my indexes.conf to "_audit" and "_thefishbucket".

But upon examining a fresh install of Splunk without having set up indexes.conf yet, I noticed that under /$SPLUNK_HOME/var/lib/splunk, the indexes are listed as "audit" and "fishbucket" without the underscores or "the" in front of fishbucket.

So which is correct? If I tell my indexes.conf to set up a path to /var/lib/splunk/_thefishbucket and /var/lib/splunk/_audit, wouldn't it just make a new directory that isn't associated with the Splunk internal directories?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-23-2019 08:44 AM

Hi @zella,
when you speak of audit, the physical folder is _audit, when you speak of _thefishbucket, the physical folder is fishbucket, at the same time there's a folder called defaultdb, that's main index.
I don't know wht there are these differences between names and physical folders and why sometimes they used _ and sometimes not, but these are the names of internal indexes.

Anyway, they are internal Splunk indexes, so don't touch them and if you want to change retention or dimension copy the stanza from the default folder to the local folder to be more sure to use the correct one.

Ciao and Merry Christmas.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...