Monitoring Splunk

names of internal indexes "_audit" and "_thefishbucket"

zella
Explorer

I have confusion around the names of these internal indexes.

I was always taught to set up my stanzas in my indexes.conf to "_audit" and "_thefishbucket".

But upon examining a fresh install of Splunk without having set up indexes.conf yet, I noticed that under /$SPLUNK_HOME/var/lib/splunk, the indexes are listed as "audit" and "fishbucket" without the underscores or "the" in front of fishbucket.

So which is correct? If I tell my indexes.conf to set up a path to /var/lib/splunk/_thefishbucket and /var/lib/splunk/_audit, wouldn't it just make a new directory that isn't associated with the Splunk internal directories?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zella,
when you speak of audit, the physical folder is _audit, when you speak of _thefishbucket, the physical folder is fishbucket, at the same time there's a folder called defaultdb, that's main index.
I don't know wht there are these differences between names and physical folders and why sometimes they used _ and sometimes not, but these are the names of internal indexes.

Anyway, they are internal Splunk indexes, so don't touch them and if you want to change retention or dimension copy the stanza from the default folder to the local folder to be more sure to use the correct one.

Ciao and Merry Christmas.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...