Create an index

Like we’ve already mentioned, indexes can be created with Splunk Web, the command-line interface (CLI), or by manually editing the indexes.conf file. Of course, the easiest way to do it is to use Splunk Web. Here are the steps:

Log in to Splunk Web with an administrative account and go to Settings > Indexes:

create index 1

The Indexes page should open. Click New Index:

create index 2

The New Index page should open. You need to provide the following information:

  • Index name – the name for the index. It can contain only digits, lowercase letters, underscores, and hyphens and cannot start with an underscore or a hyphen.
  • Home Path – specifies the path that contains the hot and warm buckets.
  • Cold Path – specifies the path for indexes rolled off from hot.
  • Thawed Path – specifies the path for unzipped or archived for reuse indexes.
  • Max Size of Entire Index – the maximum size of index. 500,000 MB by default.
  • Max Size of Hot/Warm/Cold Bucket – specifies the maximum target size of buckets.
  • Frozen Path – an optional parameter. Set this field if you want to archive frozen buckets.
  • App – the app for the index.

create index 3

You should see the new index in the list of indexes.

Splunk tutorial

Splunk tutorial

Geek University 2022