Monitoring Splunk

names of internal indexes "_audit" and "_thefishbucket"


I have confusion around the names of these internal indexes.

I was always taught to set up my stanzas in my indexes.conf to "_audit" and "_thefishbucket".

But upon examining a fresh install of Splunk without having set up indexes.conf yet, I noticed that under /$SPLUNK_HOME/var/lib/splunk, the indexes are listed as "audit" and "fishbucket" without the underscores or "the" in front of fishbucket.

So which is correct? If I tell my indexes.conf to set up a path to /var/lib/splunk/_thefishbucket and /var/lib/splunk/_audit, wouldn't it just make a new directory that isn't associated with the Splunk internal directories?

0 Karma

Esteemed Legend

Hi @zella,
when you speak of audit, the physical folder is _audit, when you speak of _thefishbucket, the physical folder is fishbucket, at the same time there's a folder called defaultdb, that's main index.
I don't know wht there are these differences between names and physical folders and why sometimes they used _ and sometimes not, but these are the names of internal indexes.

Anyway, they are internal Splunk indexes, so don't touch them and if you want to change retention or dimension copy the stanza from the default folder to the local folder to be more sure to use the correct one.

Ciao and Merry Christmas.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

We’ve enabled AWS PrivateLink for Observability Cloud, giving you an additional inbound connection to send ...

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...