Splunk v1.2.17, Apr 9 25

Splunk v1.2.17 published on Wednesday, Apr 9, 2025 by Pulumi

splunk.Indexes

Explore with Pulumi AI

Splunk v1.2.17 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-splunk

# Resource: splunk.Indexes

Create and manage data indexes.

Authorization and authentication

By default, all users can list all indexes. However, if the indexes_list_all capability is enabled in authorize.conf, access to all indexes is limited to only those roles with this capability. To enable indexes_list_all capability restrictions on the data/indexes endpoint, create a [capability::indexes_list_all] stanza in authorize.conf. Specify indexes_list_all=enabled for any role permitted to list all indexes from this endpoint.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as splunk from "@pulumi/splunk";

const user01_index = new splunk.Indexes("user01-index", {
    name: "user01-index",
    maxHotBuckets: 6,
    maxTotalDataSizeMb: 1000000,
});

import pulumi
import pulumi_splunk as splunk

user01_index = splunk.Indexes("user01-index",
    name="user01-index",
    max_hot_buckets=6,
    max_total_data_size_mb=1000000)

package main

import (
	"github.com/pulumi/pulumi-splunk/sdk/go/splunk"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := splunk.NewIndexes(ctx, "user01-index", &splunk.IndexesArgs{
			Name:               pulumi.String("user01-index"),
			MaxHotBuckets:      pulumi.Int(6),
			MaxTotalDataSizeMb: pulumi.Int(1000000),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Splunk = Pulumi.Splunk;

return await Deployment.RunAsync(() => 
{
    var user01_index = new Splunk.Indexes("user01-index", new()
    {
        Name = "user01-index",
        MaxHotBuckets = 6,
        MaxTotalDataSizeMb = 1000000,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.splunk.Indexes;
import com.pulumi.splunk.IndexesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var user01_index = new Indexes("user01-index", IndexesArgs.builder()
            .name("user01-index")
            .maxHotBuckets(6)
            .maxTotalDataSizeMb(1000000)
            .build());

    }
}

resources:
  user01-index:
    type: splunk:Indexes
    properties:
      name: user01-index
      maxHotBuckets: 6
      maxTotalDataSizeMb: 1e+06

Create Indexes Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Indexes(name: string, args?: IndexesArgs, opts?: CustomResourceOptions);

@overload
def Indexes(resource_name: str,
            args: Optional[IndexesArgs] = None,
            opts: Optional[ResourceOptions] = None)

@overload
def Indexes(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            acl: Optional[IndexesAclArgs] = None,
            block_sign_size: Optional[int] = None,
            bucket_rebuild_memory_hint: Optional[str] = None,
            cold_path: Optional[str] = None,
            cold_to_frozen_dir: Optional[str] = None,
            cold_to_frozen_script: Optional[str] = None,
            compress_rawdata: Optional[bool] = None,
            datatype: Optional[str] = None,
            enable_online_bucket_repair: Optional[bool] = None,
            frozen_time_period_in_secs: Optional[int] = None,
            home_path: Optional[str] = None,
            max_bloom_backfill_bucket_age: Optional[str] = None,
            max_concurrent_optimizes: Optional[int] = None,
            max_data_size: Optional[str] = None,
            max_hot_buckets: Optional[int] = None,
            max_hot_idle_secs: Optional[int] = None,
            max_hot_span_secs: Optional[int] = None,
            max_mem_mb: Optional[int] = None,
            max_meta_entries: Optional[int] = None,
            max_time_unreplicated_no_acks: Optional[int] = None,
            max_time_unreplicated_with_acks: Optional[int] = None,
            max_total_data_size_mb: Optional[int] = None,
            max_warm_db_count: Optional[int] = None,
            min_raw_file_sync_secs: Optional[str] = None,
            min_stream_group_queue_size: Optional[int] = None,
            name: Optional[str] = None,
            partial_service_meta_period: Optional[int] = None,
            process_tracker_service_interval: Optional[int] = None,
            quarantine_future_secs: Optional[int] = None,
            quarantine_past_secs: Optional[int] = None,
            raw_chunk_size_bytes: Optional[int] = None,
            rep_factor: Optional[str] = None,
            rotate_period_in_secs: Optional[int] = None,
            service_meta_period: Optional[int] = None,
            sync_meta: Optional[bool] = None,
            thawed_path: Optional[str] = None,
            throttle_check_period: Optional[int] = None,
            tstats_home_path: Optional[str] = None,
            warm_to_cold_script: Optional[str] = None)

func NewIndexes(ctx *Context, name string, args *IndexesArgs, opts ...ResourceOption) (*Indexes, error)

public Indexes(string name, IndexesArgs? args = null, CustomResourceOptions? opts = null)

public Indexes(String name, IndexesArgs args)
public Indexes(String name, IndexesArgs args, CustomResourceOptions options)

type: splunk:Indexes
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args IndexesArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args IndexesArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IndexesArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IndexesArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args IndexesArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var indexesResource = new Splunk.Indexes("indexesResource", new()
{
    Acl = new Splunk.Inputs.IndexesAclArgs
    {
        App = "string",
        CanChangePerms = false,
        CanShareApp = false,
        CanShareGlobal = false,
        CanShareUser = false,
        CanWrite = false,
        Owner = "string",
        Reads = new[]
        {
            "string",
        },
        Removable = false,
        Sharing = "string",
        Writes = new[]
        {
            "string",
        },
    },
    BlockSignSize = 0,
    BucketRebuildMemoryHint = "string",
    ColdPath = "string",
    ColdToFrozenDir = "string",
    ColdToFrozenScript = "string",
    CompressRawdata = false,
    Datatype = "string",
    EnableOnlineBucketRepair = false,
    FrozenTimePeriodInSecs = 0,
    HomePath = "string",
    MaxBloomBackfillBucketAge = "string",
    MaxConcurrentOptimizes = 0,
    MaxDataSize = "string",
    MaxHotBuckets = 0,
    MaxHotIdleSecs = 0,
    MaxHotSpanSecs = 0,
    MaxMemMb = 0,
    MaxMetaEntries = 0,
    MaxTimeUnreplicatedNoAcks = 0,
    MaxTimeUnreplicatedWithAcks = 0,
    MaxTotalDataSizeMb = 0,
    MaxWarmDbCount = 0,
    MinRawFileSyncSecs = "string",
    MinStreamGroupQueueSize = 0,
    Name = "string",
    PartialServiceMetaPeriod = 0,
    ProcessTrackerServiceInterval = 0,
    QuarantineFutureSecs = 0,
    QuarantinePastSecs = 0,
    RawChunkSizeBytes = 0,
    RepFactor = "string",
    RotatePeriodInSecs = 0,
    ServiceMetaPeriod = 0,
    SyncMeta = false,
    ThawedPath = "string",
    ThrottleCheckPeriod = 0,
    TstatsHomePath = "string",
    WarmToColdScript = "string",
});

example, err := splunk.NewIndexes(ctx, "indexesResource", &splunk.IndexesArgs{
	Acl: &splunk.IndexesAclArgs{
		App:            pulumi.String("string"),
		CanChangePerms: pulumi.Bool(false),
		CanShareApp:    pulumi.Bool(false),
		CanShareGlobal: pulumi.Bool(false),
		CanShareUser:   pulumi.Bool(false),
		CanWrite:       pulumi.Bool(false),
		Owner:          pulumi.String("string"),
		Reads: pulumi.StringArray{
			pulumi.String("string"),
		},
		Removable: pulumi.Bool(false),
		Sharing:   pulumi.String("string"),
		Writes: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	BlockSignSize:                 pulumi.Int(0),
	BucketRebuildMemoryHint:       pulumi.String("string"),
	ColdPath:                      pulumi.String("string"),
	ColdToFrozenDir:               pulumi.String("string"),
	ColdToFrozenScript:            pulumi.String("string"),
	CompressRawdata:               pulumi.Bool(false),
	Datatype:                      pulumi.String("string"),
	EnableOnlineBucketRepair:      pulumi.Bool(false),
	FrozenTimePeriodInSecs:        pulumi.Int(0),
	HomePath:                      pulumi.String("string"),
	MaxBloomBackfillBucketAge:     pulumi.String("string"),
	MaxConcurrentOptimizes:        pulumi.Int(0),
	MaxDataSize:                   pulumi.String("string"),
	MaxHotBuckets:                 pulumi.Int(0),
	MaxHotIdleSecs:                pulumi.Int(0),
	MaxHotSpanSecs:                pulumi.Int(0),
	MaxMemMb:                      pulumi.Int(0),
	MaxMetaEntries:                pulumi.Int(0),
	MaxTimeUnreplicatedNoAcks:     pulumi.Int(0),
	MaxTimeUnreplicatedWithAcks:   pulumi.Int(0),
	MaxTotalDataSizeMb:            pulumi.Int(0),
	MaxWarmDbCount:                pulumi.Int(0),
	MinRawFileSyncSecs:            pulumi.String("string"),
	MinStreamGroupQueueSize:       pulumi.Int(0),
	Name:                          pulumi.String("string"),
	PartialServiceMetaPeriod:      pulumi.Int(0),
	ProcessTrackerServiceInterval: pulumi.Int(0),
	QuarantineFutureSecs:          pulumi.Int(0),
	QuarantinePastSecs:            pulumi.Int(0),
	RawChunkSizeBytes:             pulumi.Int(0),
	RepFactor:                     pulumi.String("string"),
	RotatePeriodInSecs:            pulumi.Int(0),
	ServiceMetaPeriod:             pulumi.Int(0),
	SyncMeta:                      pulumi.Bool(false),
	ThawedPath:                    pulumi.String("string"),
	ThrottleCheckPeriod:           pulumi.Int(0),
	TstatsHomePath:                pulumi.String("string"),
	WarmToColdScript:              pulumi.String("string"),
})

var indexesResource = new Indexes("indexesResource", IndexesArgs.builder()
    .acl(IndexesAclArgs.builder()
        .app("string")
        .canChangePerms(false)
        .canShareApp(false)
        .canShareGlobal(false)
        .canShareUser(false)
        .canWrite(false)
        .owner("string")
        .reads("string")
        .removable(false)
        .sharing("string")
        .writes("string")
        .build())
    .blockSignSize(0)
    .bucketRebuildMemoryHint("string")
    .coldPath("string")
    .coldToFrozenDir("string")
    .coldToFrozenScript("string")
    .compressRawdata(false)
    .datatype("string")
    .enableOnlineBucketRepair(false)
    .frozenTimePeriodInSecs(0)
    .homePath("string")
    .maxBloomBackfillBucketAge("string")
    .maxConcurrentOptimizes(0)
    .maxDataSize("string")
    .maxHotBuckets(0)
    .maxHotIdleSecs(0)
    .maxHotSpanSecs(0)
    .maxMemMb(0)
    .maxMetaEntries(0)
    .maxTimeUnreplicatedNoAcks(0)
    .maxTimeUnreplicatedWithAcks(0)
    .maxTotalDataSizeMb(0)
    .maxWarmDbCount(0)
    .minRawFileSyncSecs("string")
    .minStreamGroupQueueSize(0)
    .name("string")
    .partialServiceMetaPeriod(0)
    .processTrackerServiceInterval(0)
    .quarantineFutureSecs(0)
    .quarantinePastSecs(0)
    .rawChunkSizeBytes(0)
    .repFactor("string")
    .rotatePeriodInSecs(0)
    .serviceMetaPeriod(0)
    .syncMeta(false)
    .thawedPath("string")
    .throttleCheckPeriod(0)
    .tstatsHomePath("string")
    .warmToColdScript("string")
    .build());

indexes_resource = splunk.Indexes("indexesResource",
    acl={
        "app": "string",
        "can_change_perms": False,
        "can_share_app": False,
        "can_share_global": False,
        "can_share_user": False,
        "can_write": False,
        "owner": "string",
        "reads": ["string"],
        "removable": False,
        "sharing": "string",
        "writes": ["string"],
    },
    block_sign_size=0,
    bucket_rebuild_memory_hint="string",
    cold_path="string",
    cold_to_frozen_dir="string",
    cold_to_frozen_script="string",
    compress_rawdata=False,
    datatype="string",
    enable_online_bucket_repair=False,
    frozen_time_period_in_secs=0,
    home_path="string",
    max_bloom_backfill_bucket_age="string",
    max_concurrent_optimizes=0,
    max_data_size="string",
    max_hot_buckets=0,
    max_hot_idle_secs=0,
    max_hot_span_secs=0,
    max_mem_mb=0,
    max_meta_entries=0,
    max_time_unreplicated_no_acks=0,
    max_time_unreplicated_with_acks=0,
    max_total_data_size_mb=0,
    max_warm_db_count=0,
    min_raw_file_sync_secs="string",
    min_stream_group_queue_size=0,
    name="string",
    partial_service_meta_period=0,
    process_tracker_service_interval=0,
    quarantine_future_secs=0,
    quarantine_past_secs=0,
    raw_chunk_size_bytes=0,
    rep_factor="string",
    rotate_period_in_secs=0,
    service_meta_period=0,
    sync_meta=False,
    thawed_path="string",
    throttle_check_period=0,
    tstats_home_path="string",
    warm_to_cold_script="string")

const indexesResource = new splunk.Indexes("indexesResource", {
    acl: {
        app: "string",
        canChangePerms: false,
        canShareApp: false,
        canShareGlobal: false,
        canShareUser: false,
        canWrite: false,
        owner: "string",
        reads: ["string"],
        removable: false,
        sharing: "string",
        writes: ["string"],
    },
    blockSignSize: 0,
    bucketRebuildMemoryHint: "string",
    coldPath: "string",
    coldToFrozenDir: "string",
    coldToFrozenScript: "string",
    compressRawdata: false,
    datatype: "string",
    enableOnlineBucketRepair: false,
    frozenTimePeriodInSecs: 0,
    homePath: "string",
    maxBloomBackfillBucketAge: "string",
    maxConcurrentOptimizes: 0,
    maxDataSize: "string",
    maxHotBuckets: 0,
    maxHotIdleSecs: 0,
    maxHotSpanSecs: 0,
    maxMemMb: 0,
    maxMetaEntries: 0,
    maxTimeUnreplicatedNoAcks: 0,
    maxTimeUnreplicatedWithAcks: 0,
    maxTotalDataSizeMb: 0,
    maxWarmDbCount: 0,
    minRawFileSyncSecs: "string",
    minStreamGroupQueueSize: 0,
    name: "string",
    partialServiceMetaPeriod: 0,
    processTrackerServiceInterval: 0,
    quarantineFutureSecs: 0,
    quarantinePastSecs: 0,
    rawChunkSizeBytes: 0,
    repFactor: "string",
    rotatePeriodInSecs: 0,
    serviceMetaPeriod: 0,
    syncMeta: false,
    thawedPath: "string",
    throttleCheckPeriod: 0,
    tstatsHomePath: "string",
    warmToColdScript: "string",
});

type: splunk:Indexes
properties:
    acl:
        app: string
        canChangePerms: false
        canShareApp: false
        canShareGlobal: false
        canShareUser: false
        canWrite: false
        owner: string
        reads:
            - string
        removable: false
        sharing: string
        writes:
            - string
    blockSignSize: 0
    bucketRebuildMemoryHint: string
    coldPath: string
    coldToFrozenDir: string
    coldToFrozenScript: string
    compressRawdata: false
    datatype: string
    enableOnlineBucketRepair: false
    frozenTimePeriodInSecs: 0
    homePath: string
    maxBloomBackfillBucketAge: string
    maxConcurrentOptimizes: 0
    maxDataSize: string
    maxHotBuckets: 0
    maxHotIdleSecs: 0
    maxHotSpanSecs: 0
    maxMemMb: 0
    maxMetaEntries: 0
    maxTimeUnreplicatedNoAcks: 0
    maxTimeUnreplicatedWithAcks: 0
    maxTotalDataSizeMb: 0
    maxWarmDbCount: 0
    minRawFileSyncSecs: string
    minStreamGroupQueueSize: 0
    name: string
    partialServiceMetaPeriod: 0
    processTrackerServiceInterval: 0
    quarantineFutureSecs: 0
    quarantinePastSecs: 0
    rawChunkSizeBytes: 0
    repFactor: string
    rotatePeriodInSecs: 0
    serviceMetaPeriod: 0
    syncMeta: false
    thawedPath: string
    throttleCheckPeriod: 0
    tstatsHomePath: string
    warmToColdScript: string

Indexes Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Indexes resource accepts the following input properties:

Acl IndexesAcl: The app/user context that is the namespace for the resource
BlockSignSize int: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
BucketRebuildMemoryHint string: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
ColdPath string: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
ColdToFrozenDir string: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
ColdToFrozenScript string: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
CompressRawdata bool: This parameter is ignored. The splunkd process always compresses raw data.
Datatype string: Valid values: (event | metric). Specifies the type of index.
EnableOnlineBucketRepair bool: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
FrozenTimePeriodInSecs int: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
HomePath string: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
MaxBloomBackfillBucketAge string: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
MaxConcurrentOptimizes int: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
MaxDataSize string: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
MaxHotBuckets int: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
MaxHotIdleSecs int: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
MaxHotSpanSecs int: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
MaxMemMb int: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
MaxMetaEntries int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedNoAcks int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedWithAcks int: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
MaxTotalDataSizeMb int: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
MaxWarmDbCount int: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
MinRawFileSyncSecs string: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
MinStreamGroupQueueSize int: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Name string: The name of the index to create.
PartialServiceMetaPeriod int: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
ProcessTrackerServiceInterval int: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
QuarantineFutureSecs int: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
QuarantinePastSecs int: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
RawChunkSizeBytes int: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
RepFactor string: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
RotatePeriodInSecs int: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
ServiceMetaPeriod int: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
SyncMeta bool: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
ThawedPath string: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
ThrottleCheckPeriod int: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
TstatsHomePath string: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
WarmToColdScript string: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Acl IndexesAclArgs: The app/user context that is the namespace for the resource
BlockSignSize int: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
BucketRebuildMemoryHint string: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
ColdPath string: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
ColdToFrozenDir string: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
ColdToFrozenScript string: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
CompressRawdata bool: This parameter is ignored. The splunkd process always compresses raw data.
Datatype string: Valid values: (event | metric). Specifies the type of index.
EnableOnlineBucketRepair bool: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
FrozenTimePeriodInSecs int: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
HomePath string: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
MaxBloomBackfillBucketAge string: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
MaxConcurrentOptimizes int: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
MaxDataSize string: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
MaxHotBuckets int: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
MaxHotIdleSecs int: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
MaxHotSpanSecs int: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
MaxMemMb int: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
MaxMetaEntries int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedNoAcks int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedWithAcks int: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
MaxTotalDataSizeMb int: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
MaxWarmDbCount int: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
MinRawFileSyncSecs string: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
MinStreamGroupQueueSize int: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Name string: The name of the index to create.
PartialServiceMetaPeriod int: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
ProcessTrackerServiceInterval int: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
QuarantineFutureSecs int: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
QuarantinePastSecs int: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
RawChunkSizeBytes int: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
RepFactor string: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
RotatePeriodInSecs int: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
ServiceMetaPeriod int: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
SyncMeta bool: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
ThawedPath string: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
ThrottleCheckPeriod int: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
TstatsHomePath string: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
WarmToColdScript string: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl IndexesAcl: The app/user context that is the namespace for the resource
blockSignSize Integer: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint String: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath String: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
coldToFrozenDir String: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript String: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compressRawdata Boolean: This parameter is ignored. The splunkd process always compresses raw data.
datatype String: Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair Boolean: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs Integer: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath String: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge String: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
maxConcurrentOptimizes Integer: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize String: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
maxHotBuckets Integer: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs Integer: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs Integer: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
maxMemMb Integer: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
maxMetaEntries Integer: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedNoAcks Integer: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedWithAcks Integer: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMb Integer: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDbCount Integer: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs String: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize Integer: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name String: The name of the index to create.
partialServiceMetaPeriod Integer: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval Integer: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs Integer: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs Integer: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes Integer: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
repFactor String: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotatePeriodInSecs Integer: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Integer: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta Boolean: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawedPath String: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttleCheckPeriod Integer: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstatsHomePath String: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warmToColdScript String: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl IndexesAcl: The app/user context that is the namespace for the resource
blockSignSize number: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint string: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath string: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
coldToFrozenDir string: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript string: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compressRawdata boolean: This parameter is ignored. The splunkd process always compresses raw data.
datatype string: Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair boolean: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs number: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath string: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge string: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
maxConcurrentOptimizes number: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize string: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
maxHotBuckets number: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs number: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs number: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
maxMemMb number: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
maxMetaEntries number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedNoAcks number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedWithAcks number: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMb number: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDbCount number: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs string: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize number: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name string: The name of the index to create.
partialServiceMetaPeriod number: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval number: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs number: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs number: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes number: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
repFactor string: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotatePeriodInSecs number: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod number: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta boolean: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawedPath string: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttleCheckPeriod number: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstatsHomePath string: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warmToColdScript string: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl IndexesAclArgs: The app/user context that is the namespace for the resource
block_sign_size int: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucket_rebuild_memory_hint str: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
cold_path str: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
cold_to_frozen_dir str: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
cold_to_frozen_script str: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compress_rawdata bool: This parameter is ignored. The splunkd process always compresses raw data.
datatype str: Valid values: (event | metric). Specifies the type of index.
enable_online_bucket_repair bool: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozen_time_period_in_secs int: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
home_path str: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
max_bloom_backfill_bucket_age str: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
max_concurrent_optimizes int: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
max_data_size str: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
max_hot_buckets int: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
max_hot_idle_secs int: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
max_hot_span_secs int: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
max_mem_mb int: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
max_meta_entries int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
max_time_unreplicated_no_acks int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
max_time_unreplicated_with_acks int: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
max_total_data_size_mb int: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
max_warm_db_count int: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
min_raw_file_sync_secs str: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
min_stream_group_queue_size int: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name str: The name of the index to create.
partial_service_meta_period int: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
process_tracker_service_interval int: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantine_future_secs int: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantine_past_secs int: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
raw_chunk_size_bytes int: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
rep_factor str: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotate_period_in_secs int: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
service_meta_period int: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
sync_meta bool: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawed_path str: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttle_check_period int: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstats_home_path str: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warm_to_cold_script str: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl Property Map: The app/user context that is the namespace for the resource
blockSignSize Number: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint String: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath String: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
coldToFrozenDir String: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript String: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compressRawdata Boolean: This parameter is ignored. The splunkd process always compresses raw data.
datatype String: Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair Boolean: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs Number: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath String: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge String: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
maxConcurrentOptimizes Number: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize String: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
maxHotBuckets Number: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs Number: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs Number: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
maxMemMb Number: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
maxMetaEntries Number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedNoAcks Number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedWithAcks Number: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMb Number: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDbCount Number: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs String: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize Number: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name String: The name of the index to create.
partialServiceMetaPeriod Number: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval Number: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs Number: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs Number: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes Number: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
repFactor String: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotatePeriodInSecs Number: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Number: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta Boolean: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawedPath String: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttleCheckPeriod Number: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstatsHomePath String: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warmToColdScript String: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Outputs

All input properties are implicitly available as output properties. Additionally, the Indexes resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Indexes Resource

Get an existing Indexes resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IndexesState, opts?: CustomResourceOptions): Indexes

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        acl: Optional[IndexesAclArgs] = None,
        block_sign_size: Optional[int] = None,
        bucket_rebuild_memory_hint: Optional[str] = None,
        cold_path: Optional[str] = None,
        cold_to_frozen_dir: Optional[str] = None,
        cold_to_frozen_script: Optional[str] = None,
        compress_rawdata: Optional[bool] = None,
        datatype: Optional[str] = None,
        enable_online_bucket_repair: Optional[bool] = None,
        frozen_time_period_in_secs: Optional[int] = None,
        home_path: Optional[str] = None,
        max_bloom_backfill_bucket_age: Optional[str] = None,
        max_concurrent_optimizes: Optional[int] = None,
        max_data_size: Optional[str] = None,
        max_hot_buckets: Optional[int] = None,
        max_hot_idle_secs: Optional[int] = None,
        max_hot_span_secs: Optional[int] = None,
        max_mem_mb: Optional[int] = None,
        max_meta_entries: Optional[int] = None,
        max_time_unreplicated_no_acks: Optional[int] = None,
        max_time_unreplicated_with_acks: Optional[int] = None,
        max_total_data_size_mb: Optional[int] = None,
        max_warm_db_count: Optional[int] = None,
        min_raw_file_sync_secs: Optional[str] = None,
        min_stream_group_queue_size: Optional[int] = None,
        name: Optional[str] = None,
        partial_service_meta_period: Optional[int] = None,
        process_tracker_service_interval: Optional[int] = None,
        quarantine_future_secs: Optional[int] = None,
        quarantine_past_secs: Optional[int] = None,
        raw_chunk_size_bytes: Optional[int] = None,
        rep_factor: Optional[str] = None,
        rotate_period_in_secs: Optional[int] = None,
        service_meta_period: Optional[int] = None,
        sync_meta: Optional[bool] = None,
        thawed_path: Optional[str] = None,
        throttle_check_period: Optional[int] = None,
        tstats_home_path: Optional[str] = None,
        warm_to_cold_script: Optional[str] = None) -> Indexes

func GetIndexes(ctx *Context, name string, id IDInput, state *IndexesState, opts ...ResourceOption) (*Indexes, error)

public static Indexes Get(string name, Input<string> id, IndexesState? state, CustomResourceOptions? opts = null)

public static Indexes get(String name, Output<String> id, IndexesState state, CustomResourceOptions options)

resources:  _:    type: splunk:Indexes    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Acl IndexesAcl: The app/user context that is the namespace for the resource
BlockSignSize int: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
BucketRebuildMemoryHint string: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
ColdPath string: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
ColdToFrozenDir string: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
ColdToFrozenScript string: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
CompressRawdata bool: This parameter is ignored. The splunkd process always compresses raw data.
Datatype string: Valid values: (event | metric). Specifies the type of index.
EnableOnlineBucketRepair bool: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
FrozenTimePeriodInSecs int: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
HomePath string: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
MaxBloomBackfillBucketAge string: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
MaxConcurrentOptimizes int: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
MaxDataSize string: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
MaxHotBuckets int: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
MaxHotIdleSecs int: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
MaxHotSpanSecs int: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
MaxMemMb int: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
MaxMetaEntries int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedNoAcks int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedWithAcks int: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
MaxTotalDataSizeMb int: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
MaxWarmDbCount int: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
MinRawFileSyncSecs string: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
MinStreamGroupQueueSize int: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Name string: The name of the index to create.
PartialServiceMetaPeriod int: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
ProcessTrackerServiceInterval int: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
QuarantineFutureSecs int: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
QuarantinePastSecs int: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
RawChunkSizeBytes int: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
RepFactor string: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
RotatePeriodInSecs int: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
ServiceMetaPeriod int: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
SyncMeta bool: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
ThawedPath string: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
ThrottleCheckPeriod int: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
TstatsHomePath string: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
WarmToColdScript string: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Acl IndexesAclArgs: The app/user context that is the namespace for the resource
BlockSignSize int: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
BucketRebuildMemoryHint string: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
ColdPath string: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
ColdToFrozenDir string: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
ColdToFrozenScript string: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
CompressRawdata bool: This parameter is ignored. The splunkd process always compresses raw data.
Datatype string: Valid values: (event | metric). Specifies the type of index.
EnableOnlineBucketRepair bool: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
FrozenTimePeriodInSecs int: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
HomePath string: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
MaxBloomBackfillBucketAge string: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
MaxConcurrentOptimizes int: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
MaxDataSize string: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
MaxHotBuckets int: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
MaxHotIdleSecs int: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
MaxHotSpanSecs int: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
MaxMemMb int: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
MaxMetaEntries int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedNoAcks int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
MaxTimeUnreplicatedWithAcks int: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
MaxTotalDataSizeMb int: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
MaxWarmDbCount int: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
MinRawFileSyncSecs string: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
MinStreamGroupQueueSize int: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Name string: The name of the index to create.
PartialServiceMetaPeriod int: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
ProcessTrackerServiceInterval int: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
QuarantineFutureSecs int: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
QuarantinePastSecs int: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
RawChunkSizeBytes int: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
RepFactor string: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
RotatePeriodInSecs int: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
ServiceMetaPeriod int: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
SyncMeta bool: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
ThawedPath string: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
ThrottleCheckPeriod int: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
TstatsHomePath string: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
WarmToColdScript string: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl IndexesAcl: The app/user context that is the namespace for the resource
blockSignSize Integer: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint String: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath String: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
coldToFrozenDir String: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript String: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compressRawdata Boolean: This parameter is ignored. The splunkd process always compresses raw data.
datatype String: Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair Boolean: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs Integer: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath String: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge String: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
maxConcurrentOptimizes Integer: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize String: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
maxHotBuckets Integer: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs Integer: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs Integer: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
maxMemMb Integer: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
maxMetaEntries Integer: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedNoAcks Integer: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedWithAcks Integer: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMb Integer: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDbCount Integer: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs String: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize Integer: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name String: The name of the index to create.
partialServiceMetaPeriod Integer: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval Integer: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs Integer: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs Integer: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes Integer: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
repFactor String: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotatePeriodInSecs Integer: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Integer: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta Boolean: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawedPath String: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttleCheckPeriod Integer: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstatsHomePath String: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warmToColdScript String: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl IndexesAcl: The app/user context that is the namespace for the resource
blockSignSize number: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint string: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath string: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
coldToFrozenDir string: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript string: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compressRawdata boolean: This parameter is ignored. The splunkd process always compresses raw data.
datatype string: Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair boolean: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs number: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath string: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge string: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
maxConcurrentOptimizes number: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize string: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
maxHotBuckets number: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs number: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs number: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
maxMemMb number: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
maxMetaEntries number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedNoAcks number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedWithAcks number: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMb number: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDbCount number: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs string: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize number: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name string: The name of the index to create.
partialServiceMetaPeriod number: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval number: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs number: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs number: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes number: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
repFactor string: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotatePeriodInSecs number: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod number: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta boolean: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawedPath string: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttleCheckPeriod number: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstatsHomePath string: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warmToColdScript string: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl IndexesAclArgs: The app/user context that is the namespace for the resource
block_sign_size int: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucket_rebuild_memory_hint str: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
cold_path str: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
cold_to_frozen_dir str: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
cold_to_frozen_script str: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compress_rawdata bool: This parameter is ignored. The splunkd process always compresses raw data.
datatype str: Valid values: (event | metric). Specifies the type of index.
enable_online_bucket_repair bool: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozen_time_period_in_secs int: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
home_path str: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
max_bloom_backfill_bucket_age str: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
max_concurrent_optimizes int: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
max_data_size str: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
max_hot_buckets int: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
max_hot_idle_secs int: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
max_hot_span_secs int: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
max_mem_mb int: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
max_meta_entries int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
max_time_unreplicated_no_acks int: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
max_time_unreplicated_with_acks int: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
max_total_data_size_mb int: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
max_warm_db_count int: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
min_raw_file_sync_secs str: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
min_stream_group_queue_size int: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name str: The name of the index to create.
partial_service_meta_period int: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
process_tracker_service_interval int: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantine_future_secs int: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantine_past_secs int: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
raw_chunk_size_bytes int: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
rep_factor str: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotate_period_in_secs int: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
service_meta_period int: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
sync_meta bool: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawed_path str: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttle_check_period int: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstats_home_path str: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warm_to_cold_script str: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

acl Property Map: The app/user context that is the namespace for the resource
blockSignSize Number: Controls how many events make up a block for block signatures. If this is set to 0, block signing is disabled for this index. A recommended value is 100.
bucketRebuildMemoryHint String: Suggestion for the bucket rebuild process for the size of the time-series (tsidx) file to make. Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value, auto, varies by the amount of physical RAM on the host less than 2GB RAM = 67108864 (64MB) tsidx 2GB to 8GB RAM = 134217728 (128MB) tsidx more than 8GB RAM = 268435456 (256MB) tsidx Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent.
coldPath String: An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching.
coldToFrozenDir String: Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk software automatically puts frozen buckets in this directory. Bucket freezing policy is as follows: New style buckets (4.2 and on): removes all files but the rawdata To thaw, run splunk rebuild on the bucket, then move to the thawed directory Old style buckets (Pre-4.2): gzip all the .data and .tsidx files To thaw, gunzip the zipped files and move the bucket into the thawed directory If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence
coldToFrozenScript String: Path to the archiving script. If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk software ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. DO NOT use this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. It is best to copy the example script to a new file in bin and modify it for your system. Most importantly, change the default archive path to an existing directory that fits your needs.
compressRawdata Boolean: This parameter is ignored. The splunkd process always compresses raw data.
datatype String: Valid values: (event | metric). Specifies the type of index.
enableOnlineBucketRepair Boolean: Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk software. When enabled, you do not have to wait until buckets are repaired to start the Splunk platform. However, you might observe a slight performance degratation.
frozenTimePeriodInSecs Number: Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation.
homePath String: An absolute path that contains the hot and warm buckets for the index. Required. Splunk software does not start if an index lacks a valid homePath. Caution: The path must be readable and writable.
maxBloomBackfillBucketAge String: Valid values are: Integer[m|s|h|d]. If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters.
maxConcurrentOptimizes Number: The number of concurrent optimize processes that can run against a hot bucket. This number should be increased if instructed by Splunk Support. Typically the default value should suffice.
maxDataSize String: The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk software to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
maxHotBuckets Number: Maximum hot buckets that can exist per index. Defaults to 3. When maxHotBuckets is exceeded, Splunk software rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll.
maxHotIdleSecs Number: Maximum life, in seconds, of a hot bucket. Defaults to 0. If a hot bucket exceeds maxHotIdleSecs, Splunk software rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
maxHotSpanSecs Number: Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
maxMemMb Number: The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
maxMetaEntries Number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedNoAcks Number: Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored. If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0.
maxTimeUnreplicatedWithAcks Number: Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering). Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647.
maxTotalDataSizeMb Number: The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen.
maxWarmDbCount Number: The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold.
minRawFileSyncSecs String: Specify an integer (or "disable") for this parameter. This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete.
minStreamGroupQueueSize Number: Minimum size of the queue that stores events in memory before committing them to a tsidx file.
name String: The name of the index to create.
partialServiceMetaPeriod Number: Related to serviceMetaPeriod. If set, it enables metadata sync every seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero).
processTrackerServiceInterval Number: Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15. If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295.
quarantineFutureSecs Number: Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days). This is a mechanism to prevent main hot buckets from being polluted with fringe events.
quarantinePastSecs Number: Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days). This is a mechanism to prevent the main hot buckets from being polluted with fringe events.
rawChunkSizeBytes Number: Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
repFactor String: Index replication control. This parameter applies to only clustering slaves. auto = Use the master index replication configuration value. 0 = Turn off replication for this index.
rotatePeriodInSecs Number: How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen.
serviceMetaPeriod Number: Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds). You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path.
syncMeta Boolean: When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
thawedPath String: An absolute path that contains the thawed (resurrected) databases for the index. Cannot be defined in terms of a volume definition. Required. Splunk software does not start if an index lacks a valid thawedPath.
throttleCheckPeriod Number: Defines how frequently Splunk software checks for index throttling condition, in seconds. Defaults to 15 (seconds).
tstatsHomePath String: Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter. If specified, it must be defined in terms of a volume definition.
warmToColdScript String: Path to a script to run when moving data from warm to cold. This attribute is supported for backwards compatibility with Splunk software versions older than 4.0. Contact Splunk support if you need help configuring this setting.

Supporting Types

IndexesAcl, IndexesAclArgs

App string: The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
CanChangePerms bool: Indicates if the active user can change permissions for this object. Defaults to true.
CanShareApp bool: Indicates if the active user can change sharing to app level. Defaults to true.
CanShareGlobal bool: Indicates if the active user can change sharing to system level. Defaults to true.
CanShareUser bool: Indicates if the active user can change sharing to user level. Defaults to true.
CanWrite bool: Indicates if the active user can edit this object. Defaults to true.
Owner string: User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
Reads List<string>: Properties that indicate resource read permissions.
Removable bool: Indicates whether an admin or user with sufficient permissions can delete the entity.
Sharing string: Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
Writes List<string>: Properties that indicate resource write permissions.

App string: The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
CanChangePerms bool: Indicates if the active user can change permissions for this object. Defaults to true.
CanShareApp bool: Indicates if the active user can change sharing to app level. Defaults to true.
CanShareGlobal bool: Indicates if the active user can change sharing to system level. Defaults to true.
CanShareUser bool: Indicates if the active user can change sharing to user level. Defaults to true.
CanWrite bool: Indicates if the active user can edit this object. Defaults to true.
Owner string: User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
Reads []string: Properties that indicate resource read permissions.
Removable bool: Indicates whether an admin or user with sufficient permissions can delete the entity.
Sharing string: Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
Writes []string: Properties that indicate resource write permissions.

app String: The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
canChangePerms Boolean: Indicates if the active user can change permissions for this object. Defaults to true.
canShareApp Boolean: Indicates if the active user can change sharing to app level. Defaults to true.
canShareGlobal Boolean: Indicates if the active user can change sharing to system level. Defaults to true.
canShareUser Boolean: Indicates if the active user can change sharing to user level. Defaults to true.
canWrite Boolean: Indicates if the active user can edit this object. Defaults to true.
owner String: User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
reads List<String>: Properties that indicate resource read permissions.
removable Boolean: Indicates whether an admin or user with sufficient permissions can delete the entity.
sharing String: Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
writes List<String>: Properties that indicate resource write permissions.

app string: The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
canChangePerms boolean: Indicates if the active user can change permissions for this object. Defaults to true.
canShareApp boolean: Indicates if the active user can change sharing to app level. Defaults to true.
canShareGlobal boolean: Indicates if the active user can change sharing to system level. Defaults to true.
canShareUser boolean: Indicates if the active user can change sharing to user level. Defaults to true.
canWrite boolean: Indicates if the active user can edit this object. Defaults to true.
owner string: User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
reads string[]: Properties that indicate resource read permissions.
removable boolean: Indicates whether an admin or user with sufficient permissions can delete the entity.
sharing string: Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
writes string[]: Properties that indicate resource write permissions.

app str: The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
can_change_perms bool: Indicates if the active user can change permissions for this object. Defaults to true.
can_share_app bool: Indicates if the active user can change sharing to app level. Defaults to true.
can_share_global bool: Indicates if the active user can change sharing to system level. Defaults to true.
can_share_user bool: Indicates if the active user can change sharing to user level. Defaults to true.
can_write bool: Indicates if the active user can edit this object. Defaults to true.
owner str: User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
reads Sequence[str]: Properties that indicate resource read permissions.
removable bool: Indicates whether an admin or user with sufficient permissions can delete the entity.
sharing str: Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
writes Sequence[str]: Properties that indicate resource write permissions.

app String: The app context for the resource. Required for updating saved search ACL properties. Allowed values are:The name of an app and system
canChangePerms Boolean: Indicates if the active user can change permissions for this object. Defaults to true.
canShareApp Boolean: Indicates if the active user can change sharing to app level. Defaults to true.
canShareGlobal Boolean: Indicates if the active user can change sharing to system level. Defaults to true.
canShareUser Boolean: Indicates if the active user can change sharing to user level. Defaults to true.
canWrite Boolean: Indicates if the active user can edit this object. Defaults to true.
owner String: User name of resource owner. Defaults to the resource creator. Required for updating any knowledge object ACL properties.nobody = All users may access the resource, but write access to the resource might be restricted.
reads List<String>: Properties that indicate resource read permissions.
removable Boolean: Indicates whether an admin or user with sufficient permissions can delete the entity.
sharing String: Indicates how the resource is shared. Required for updating any knowledge object ACL properties.app: Shared within a specific appglobal: (Default) Shared globally to all apps.user: Private to a user
writes List<String>: Properties that indicate resource write permissions.

Package Details

Repository: Splunk pulumi/pulumi-splunk
License: Apache-2.0
Notes: This Pulumi package is based on the splunk Terraform Provider.

Splunk v1.2.17 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-splunk

splunk.Indexes

On this page

On this page

# Resource: splunk.Indexes

Authorization and authentication

Example Usage

Create Indexes Resource

Constructor syntax

Parameters

Constructor example

Indexes Resource Properties

Inputs

Outputs

Look up Existing Indexes Resource

Supporting Types

IndexesAcl, IndexesAclArgs

Package Details

On this page

On this page