Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Precendence question about indexes.conf

jkamdar
Communicator
‎01-14-2025 08:05 AM

 

Got a question about file precedency in Splunk.

If I have 2 indexes.conf. One in $SPLUNK_HOME/etc/system/local/indexes.conf and 2nd one in $SPLUNK_HOME/etc/apps/search/local/indexes.conf, which one would take precedence?  

Mainly, to move all the data to be frozen after one year I have configured the default section in my $SPLUNK_HOME/etc/system/local/indexes.conf 

frozenTimePeriodInSecs = 31536000

But it's different for other indexes in $SPLUNK_HOME/etc/apps/search/local/indexes.conf.

So how would Splunk see it and apply?

 

Thanks for your help in advance. 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2025 08:34 AM

Use the btool command to see which settings will take effect the next time Splunk restarts.

splunk btool --debug indexes list
---
If this reply helps you, Karma would be appreciated.
Reply

jkamdar
Communicator
‎01-14-2025 11:08 AM

Not sure, how I ended up responding to a solved question, sorry.

@diogofgm thanks, I keep forgetting using btool 😞

So when I run the command you suggested, I see {default] section earlier than my specific index like, [ubunt], [rhel]. So I assume, the whatever came 1st under [default] (in my case, "frozenTimePeriodInSecs") would apply and no what I have under [ubuntu] or [rhel], correct?

Thanks for your help. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2025 12:19 PM

Settings in the [default] stanza apply if they are not mentioned in a specific stanza.  IOW, if you have

[default]
frozenTimePeriodInSecs = 36000000

[ubuntu]
frozenTimePeriodInSecs = 72000000

[rhel]
someOtherSetting = foo

 The ubuntu index will have a retention period of 72,000,000 seconds and the rhel index will have a retention period of 36,000,000 seconds.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-14-2025 09:21 AM

You should read this as a starting point to understand Splunk precedence. https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
Then you should also understand that precedence depends also are you indexing or searching. But as @richgalloway said best way to check it is btool with differentiaali options.

0 Karma
Reply

jkamdar
Communicator
‎01-14-2025 08:33 AM

Thanks @kiran_panchavat. That's what my understanding was but I got a different response from a support engineer (see below) that's why I wanted to confirm. 

$SPLUNK_HOME/etc/system/local/indexes.conf (This file contains the default settings for the entire Splunk instance and will apply globally unless overridden.)

$SPLUNK_HOME/etc/apps/search/local/indexes.conf (Configuration files in app-specific directories (like the search app) will override the settings in the system-level configuration files. This means that any settings defined here for specific indexes will take precedence over the default settings from $SPLUNK_HOME/etc/system/local/indexes.conf.)

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-14-2025 08:26 AM

@jkamdar 

The configuration in `$SPLUNK_HOME/etc/system/local/indexes.conf` takes precedence over `$SPLUNK_HOME/etc/apps/search/local/indexes.conf`.

For example, if you define an index called `windows` in both `/system/local` and `/apps/search/local`, the configuration in `/system/local` will take precedence for the `windows` index.

However, if you define `windows` in `/system/local` and a different index, such as `linux`, in `/apps/search/local`, the settings for `windows` will come from `/system/local`, while the settings for `linux` will come from `/apps/search/local`, as it doesn’t exist in `/system/local`.

https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles#:~:text=C...

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...