HI,
I have a few large directories that take a long time for Splunk to start indexing after a restart. Is there an ability to provide a priority on which stanzas Splunk should start indexing first over others? Some of my file monitoring stanzas are nice to have and others are critical. I would like to see the Criticals indexed first.
Thank you,
Chris
I am pretty sure that it is done alphabetically but in any case, however you find that it is done, I am sure there is no way to control it. Once you figure out how exactly splunk orders it's work, you can exploit this by using directory links. If this is *nix, you use ln -fs
. Then you modify your inputs.conf
to use the new path. For example, assuming alphabetical processing, lets say your existing structure is like this:
/etc/mydir/priority3.log <-indexing first
/opt/mydir/priority1.log <- indexing second
/var/logs/priority2.log <- indexing third
You would do this to fix:
mkdir /splunkprioritization/
ln -fs /opt/mydir/ /splunkprioritization/priority1/
ln -fs /var/logs/ /splunkprioritization/priority2/
ln -fs /etc/mydir/ /splunkprioritization/priority3/
Then modify your inputs.conf
accordingly to swap out the old paths with the new paths.