Splunk Enterprise Security

Help me in creating a index.conf for new index.

Path Finder

I am having trouble in creating an index.conf, what could be the issue here I not getting it. check attachment, please.

this is what I mention in the vi index.conf

homePath = $SPLUNK_DB/rockyindi/db
coldPath = $SPLUNK_DB/rockyindi/colddb
thawedPath = $SPLUNK_DB/rockyindi/thaweddb
maxDataSize = 10000
maxTotalDataSizeMB = 100000
maxWarmDBCount = 200
~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

0 Karma
1 Solution

Super Champion
  1. Have you specified a Index Volume group? It is highly recommend to have a volume settings to abstract physical storage. Please read indexes.conf for details
  2. Once you define Volume for your hot/cold/thawed etc, below setting should be good enough for basic purposes
indexes.conf setting
[rockyindi]
  homePath   = volume:home/rockyindi/db
  coldPath = volume:cold/rockyindi/colddb
  thawedPath = volume:cold/rockyindi/thaweddb
  # Let volumes handle size, set high limit per index (set to 1GB  * 1 year * 365 days). Just to be safe
  maxTotalDataSizeMB = 365000
  # 1 years x 365 days * 24 hrs * 60mins * 60secs days total retention
  frozenTimePeriodInSecs = 31536000
  repFactor = auto

View solution in original post

Esteemed Legend

That should work. Restart your indexer and watch for errors then try to write to it.

Path Finder

thank you woodcock.

0 Karma

Super Champion
  1. Have you specified a Index Volume group? It is highly recommend to have a volume settings to abstract physical storage. Please read indexes.conf for details
  2. Once you define Volume for your hot/cold/thawed etc, below setting should be good enough for basic purposes
indexes.conf setting
[rockyindi]
  homePath   = volume:home/rockyindi/db
  coldPath = volume:cold/rockyindi/colddb
  thawedPath = volume:cold/rockyindi/thaweddb
  # Let volumes handle size, set high limit per index (set to 1GB  * 1 year * 365 days). Just to be safe
  maxTotalDataSizeMB = 365000
  # 1 years x 365 days * 24 hrs * 60mins * 60secs days total retention
  frozenTimePeriodInSecs = 31536000
  repFactor = auto

View solution in original post

Path Finder

i tried this but it didn't worked. no idea whats going wrong.
appreciate your time.

0 Karma

Path Finder

I realized it was permission issue, thanks for your help

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!