Back to Floor
The Index Mines • Room 3
Creating Indexes with indexes.conf
Custom indexes are defined in indexes.conf. Each index stanza sets the storage paths, size limits, and retention policies.
Key settings include homePath (hot/warm buckets), coldPath (cold buckets), thawedPath (restored data), maxTotalDataSizeMB (total disk limit), and frozenTimePeriodInSecs (max age before freezing).
Always create dedicated indexes for different data sources — it improves search performance and lets you set different retention policies per data type.
indexes.conf example
[firewall_logs]
homePath = $SPLUNK_DB/firewall_logs/db
coldPath = $SPLUNK_DB/firewall_logs/colddb
thawedPath = $SPLUNK_DB/firewall_logs/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 77760007776000 seconds = 90 days. Plan your retention by converting days to seconds (days × 86400).
Knowledge Check
Prove your understanding to clear the room (Rewards XP)
Complete the indexes.conf stanza to create an index called "security_events" with a 50 GB size limit:
[]
homePath = $SPLUNK_DB//db
coldPath = $SPLUNK_DB/security_events/colddb
maxTotalDataSizeMB =
homePath = $SPLUNK_DB//db
coldPath = $SPLUNK_DB/security_events/colddb
maxTotalDataSizeMB =