Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Precendence question about indexes.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Precendence question about indexes.conf
jkamdar
Path Finder
01-14-2025
08:05 AM
Got a question about file precedency in Splunk.
If I have 2 indexes.conf. One in $SPLUNK_HOME/etc/system/local/indexes.conf and 2nd one in $SPLUNK_HOME/etc/apps/search/local/indexes.conf, which one would take precedence?
Mainly, to move all the data to be frozen after one year I have configured the default section in my $SPLUNK_HOME/etc/system/local/indexes.conf
frozenTimePeriodInSecs = 31536000
But it's different for other indexes in $SPLUNK_HOME/etc/apps/search/local/indexes.conf.
So how would Splunk see it and apply?
Thanks for your help in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
01-14-2025
08:34 AM
Use the btool command to see which settings will take effect the next time Splunk restarts.
splunk btool --debug indexes list
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkamdar
Path Finder
01-14-2025
11:08 AM
Not sure, how I ended up responding to a solved question, sorry.
@diogofgm thanks, I keep forgetting using btool 😞
So when I run the command you suggested, I see {default] section earlier than my specific index like, [ubunt], [rhel]. So I assume, the whatever came 1st under [default] (in my case, "frozenTimePeriodInSecs") would apply and no what I have under [ubuntu] or [rhel], correct?
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
01-14-2025
12:19 PM
Settings in the [default] stanza apply if they are not mentioned in a specific stanza. IOW, if you have
[default]
frozenTimePeriodInSecs = 36000000
[ubuntu]
frozenTimePeriodInSecs = 72000000
[rhel]
someOtherSetting = fooThe ubuntu index will have a retention period of 72,000,000 seconds and the rhel index will have a retention period of 36,000,000 seconds.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
isoutamo
SplunkTrust
01-14-2025
09:21 AM
You should read this as a starting point to understand Splunk precedence. https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
Then you should also understand that precedence depends also are you indexing or searching. But as @richgalloway said best way to check it is btool with differentiaali options.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkamdar
Path Finder
01-14-2025
08:33 AM
Thanks @kiran_panchavat. That's what my understanding was but I got a different response from a support engineer (see below) that's why I wanted to confirm.
$SPLUNK_HOME/etc/system/local/indexes.conf (This file contains the default settings for the entire Splunk instance and will apply globally unless overridden.)
$SPLUNK_HOME/etc/apps/search/local/indexes.conf (Configuration files in app-specific directories (like the search app) will override the settings in the system-level configuration files. This means that any settings defined here for specific indexes will take precedence over the default settings from $SPLUNK_HOME/etc/system/local/indexes.conf.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran_panchavat
Influencer
01-14-2025
08:26 AM
The configuration in `$SPLUNK_HOME/etc/system/local/indexes.conf` takes precedence over `$SPLUNK_HOME/etc/apps/search/local/indexes.conf`.
For example, if you define an index called `windows` in both `/system/local` and `/apps/search/local`, the configuration in `/system/local` will take precedence for the `windows` index.
However, if you define `windows` in `/system/local` and a different index, such as `linux`, in `/apps/search/local`, the settings for `windows` will come from `/system/local`, while the settings for `linux` will come from `/apps/search/local`, as it doesn’t exist in `/system/local`.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
