[default] thawedPath = $SPLUNK_DB/$_index_name/thaweddb coldPath = volume:secondary/$_index_name/colddb homePath = volume:primary/$_index_name/db tstatsHomePath = volume:primary/$_index_name/datamodel_summary tsidxWritingLevel = 4 journalCompression = zstd enableDataIntegrityControl = 0 enableTsidxReduction = 0 archiver.enableDataArchive = 0 compressRawdata = 1 enableOnlineBucketRepair = 1 rtRouterQueueSize = rtRouterThreads = selfStorageThreads = suspendHotRollByDeleteQuery = 0 syncMeta = 1 maxTotalDataSizeMB = 10000 [idx_linky] repFactor = auto [idx_api-renault] [sysmon] [idx_m-tic_windows] [idx_m-tic_fortigate] [idx_m-tic_linux] [idx_m-tic_esxi] [vmware-esxilog] repFactor = auto [vmware-perf-metrics] repFactor = auto datatype = metric [vmware-perf] repFactor = auto [vmware-inv] repFactor = auto [vmware-taskevent] repFactor = auto [vmware-vclog] repFactor = auto [idx_m-tic_alcatel] [idx_m-tic_cisco] [idx_m-tic_switch] [idx_m-tic_catchall] [idx_m-tic_catchother] [idx_m-tic_other] [idx_m-tic_glpi] [idx_m-tic_glpi_vm] [idx_m-tic_glpi_kb] [idx_m-tic_glpi_sep] [idx_m-tic_glpi_obsolescence] [idx_m-tic_genetec_sc] [idx_ldap] [idx_m-tic_synology] [msad] #maxHotBuckets = 10 [perfmon] #maxHotBuckets = 10 [winmetrics] [winevents] #maxHotBuckets = 10 [windows] #maxHotBuckets = 10 [wineventlog] #maxHotBuckets = 10 # # Overview. Below you will find the basic indexes.conf settings for # # setting up your indexes in Splunk. We separate into different indexes # # to allow for performance (in some cases) or data isolation in others. # # All indexes come preconfigured with a relatively short retention period # # that should work for everyone, but if you have more disk space, we # # encourage (and usually see) longer retention periods, particularly # # for security customers. # # Endpoint Indexes used for Splunk Security Essentials. # # If you have the sources, other standard indexes we recommend include: # # epproxy - Local Proxy Activity # [epav] # coldPath = $SPLUNK_DB/epav/colddb # homePath = $SPLUNK_DB/epav/db # thawedPath = $SPLUNK_DB/epav/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [epfw] # coldPath = $SPLUNK_DB/epnet/colddb # homePath = $SPLUNK_DB/epnet/db # thawedPath = $SPLUNK_DB/epnet/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [ephids] # coldPath = $SPLUNK_DB/epmon/colddb # homePath = $SPLUNK_DB/epmon/db # thawedPath = $SPLUNK_DB/epmon/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [epintel] # coldPath = $SPLUNK_DB/epweb/colddb # homePath = $SPLUNK_DB/epweb/db # thawedPath = $SPLUNK_DB/epweb/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [oswin] # coldPath = $SPLUNK_DB/oswin/colddb # homePath = $SPLUNK_DB/oswin/db # thawedPath = $SPLUNK_DB/oswin/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [oswinsec] # coldPath = $SPLUNK_DB/oswinsec/colddb # homePath = $SPLUNK_DB/oswinsec/db # thawedPath = $SPLUNK_DB/oswinsec/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [oswinscript] # coldPath = $SPLUNK_DB/oswinscript/colddb # homePath = $SPLUNK_DB/oswinscript/db # thawedPath = $SPLUNK_DB/oswinscript/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [oswinperf] # coldPath = $SPLUNK_DB/oswinperf/colddb # homePath = $SPLUNK_DB/oswinperf/db # thawedPath = $SPLUNK_DB/oswinperf/thaweddb # frozenTimePeriodInSecs = 604800 # #7 days # [osnix] # coldPath = $SPLUNK_DB/osnix/colddb # homePath = $SPLUNK_DB/osnix/db # thawedPath = $SPLUNK_DB/osnix/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [osnixsec] # coldPath = $SPLUNK_DB/osnixsec/colddb # homePath = $SPLUNK_DB/osnixsec/db # thawedPath = $SPLUNK_DB/osnixsec/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [osnixscript] # coldPath = $SPLUNK_DB/osnixscript/colddb # homePath = $SPLUNK_DB/osnixscript/db # thawedPath = $SPLUNK_DB/osnixscript/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [osnixperf] # coldPath = $SPLUNK_DB/osnixperf/colddb # homePath = $SPLUNK_DB/osnixperf/db # thawedPath = $SPLUNK_DB/osnixperf/thaweddb # frozenTimePeriodInSecs = 604800 # #7 days # # Network Indexes used for Splunk Security Essentials # # If you have the sources, other standard indexes we recommend include: # # netauth - for network authentication sources # # netflow - for netflow data # # netids - for dedicated IPS environments # # netipam - for IPAM systems # # netnlb - for non-web server load balancer data (e.g., DNS, SMTP, SIP, etc.) # # netops - for general network system data (such as Cisco iOS non-netflow logs) # # netvuln - for Network Vulnerability Data # [netdns] # coldPath = $SPLUNK_DB/netdns/colddb # homePath = $SPLUNK_DB/netdns/db # thawedPath = $SPLUNK_DB/netdns/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [mail] # coldPath = $SPLUNK_DB/mail/colddb # homePath = $SPLUNK_DB/mail/db # thawedPath = $SPLUNK_DB/mail/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [netfw] # coldPath = $SPLUNK_DB/netfw/colddb # homePath = $SPLUNK_DB/netfw/db # thawedPath = $SPLUNK_DB/netfw/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [netops] # coldPath = $SPLUNK_DB/netops/colddb # homePath = $SPLUNK_DB/netops/db # thawedPath = $SPLUNK_DB/netops/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [netproxy] # coldPath = $SPLUNK_DB/netproxy/colddb # homePath = $SPLUNK_DB/netproxy/db # thawedPath = $SPLUNK_DB/netproxy/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # [netvpn] # coldPath = $SPLUNK_DB/netvpn/colddb # homePath = $SPLUNK_DB/netvpn/db # thawedPath = $SPLUNK_DB/netvpn/thaweddb # frozenTimePeriodInSecs = 2592000 # #30 days # # Splunk Security Essentials doesn't have examples of Application Security, # # but if you want to ingest those logs, here are the recommended indexes: # # appwebint - Internal WebApp Access Logs # # appwebext - External WebApp Access Logs # # appwebintrp - Internal-facing Web App Load Balancers # # appwebextrp - External-facing Web App Load Balancers # # appwebcdn - CDN logs for your website # # appdbserver - Database Servers # # appmsgserver - Messaging Servers # # appint - App Servers for internal-facing apps # # appext - App Servers for external-facing apps