Splunk Search

index_name variable to use in all index paths


I'm looking for a variable that can be used to replace the index name for the following configs in the indexes.conf file:




I'm using volumes for my index paths, and in V6 I have found a variable called $_index_name which replaces the home & cold paths with the index name. This is how my global config now looks:

coldPath = volume:cold/$_index_name/colddb

homePath = volume:hot/$_index_name/db

This successfully replaces the index name, however, if I use this variable in the thawedPath, it won't resolve the variable and instead tries to create a folder called $_index_name, which fails as the different indexes try to use the same location.

I'm trying to do this to allow me to standardise the index stanza's, as we have quite a lot of them.

Does anyone know of a better way to do this?



Tags (3)

Path Finder

I have the same thing happening with my thawed path - it is configured as:

homePath = volume_hot:/$_index_name/db
coldPath = volume_cold:/$_index_name/colddb
thawedPath = $SPLUNK_DB/$_index_name/thaweddb

The hot and cold work as intended, however the thawed db ends up in: /opt/splunk/var/lib/splunk/$_index_name/thaweddb

I checked the docs for indexes.conf, and while it doesn't explicitly tell you to not use $_index_name for thawedDB path, it doesn't use it in the example (but it does for homePath/ coldPath). It says that the thawedPath should contain an absolute path that contains the thawed (resurrected) databases for the index.

Of note, it mentions:

We strongly recommend that you avoid the use of environment variables in index paths, 
aside from the possible exception of SPLUNK_DB.  See homePath  for the complete rationale.

However, that warning is also mentioned for homePath and cold Path.

For now, I'll stick to writing out the index name in the path.

0 Karma

Splunk Employee
Splunk Employee

Note that thawedPath needs an absolute path that does NOT contain a volume reference.

0 Karma


ever hear anything more about this?

0 Karma


Thanks, yeah I'm aware that the thawedPath can't contain a volume reference. My issue is the variable name rather than the volume. I find it very strange that the $SPLUNK_DB variable resolves fine in the thawedPath, but not the $_index_name

0 Karma

Splunk Employee
Splunk Employee

I'm guessing that thawedPath is a bit of the "odd one out" and may not play nice with $_index_name, but I don't know that for certain.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...