Like we’ve already mentioned, indexes can be created with Splunk Web, the command-line interface (CLI), or by manually editing the indexes.conf file. Of course, the easiest way to do it is to use Splunk Web. Here are the steps:
Log in to Splunk Web with an administrative account and go to Settings > Indexes:
The Indexes page should open. Click New Index:
The New Index page should open. You need to provide the following information:
- Index name – the name for the index. It can contain only digits, lowercase letters, underscores, and hyphens and cannot start with an underscore or a hyphen.
- Home Path – specifies the path that contains the hot and warm buckets.
- Cold Path – specifies the path for indexes rolled off from hot.
- Thawed Path – specifies the path for unzipped or archived for reuse indexes.
- Max Size of Entire Index – the maximum size of index. 500,000 MB by default.
- Max Size of Hot/Warm/Cold Bucket – specifies the maximum target size of buckets.
- Frozen Path – an optional parameter. Set this field if you want to archive frozen buckets.
- App – the app for the index.
You should see the new index in the list of indexes.