You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
258 lines
6.3 KiB
258 lines
6.3 KiB
[default]
|
|
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
|
|
coldPath = volume:secondary/$_index_name/colddb
|
|
homePath = volume:primary/$_index_name/db
|
|
tstatsHomePath = volume:primary/$_index_name/datamodel_summary
|
|
tsidxWritingLevel = 4
|
|
journalCompression = zstd
|
|
enableDataIntegrityControl = 0
|
|
enableTsidxReduction = 0
|
|
archiver.enableDataArchive = 0
|
|
compressRawdata = 1
|
|
enableOnlineBucketRepair = 1
|
|
rtRouterQueueSize =
|
|
rtRouterThreads =
|
|
selfStorageThreads =
|
|
suspendHotRollByDeleteQuery = 0
|
|
syncMeta = 1
|
|
maxTotalDataSizeMB = 10000
|
|
|
|
[idx_linky]
|
|
repFactor = auto
|
|
|
|
[idx_api-renault]
|
|
|
|
[sysmon]
|
|
|
|
[idx_m-tic_windows]
|
|
|
|
[idx_m-tic_fortigate]
|
|
|
|
[idx_m-tic_linux]
|
|
|
|
[idx_m-tic_esxi]
|
|
|
|
[vmware-esxilog]
|
|
repFactor = auto
|
|
|
|
[vmware-perf-metrics]
|
|
repFactor = auto
|
|
datatype = metric
|
|
|
|
[vmware-perf]
|
|
repFactor = auto
|
|
|
|
[vmware-inv]
|
|
repFactor = auto
|
|
|
|
[vmware-taskevent]
|
|
repFactor = auto
|
|
|
|
[vmware-vclog]
|
|
repFactor = auto
|
|
|
|
[idx_m-tic_alcatel]
|
|
|
|
[idx_m-tic_cisco]
|
|
|
|
[idx_m-tic_switch]
|
|
|
|
[idx_m-tic_catchall]
|
|
|
|
[idx_m-tic_catchother]
|
|
|
|
[idx_m-tic_other]
|
|
|
|
[idx_m-tic_glpi]
|
|
|
|
[idx_m-tic_glpi_vm]
|
|
|
|
[idx_m-tic_glpi_kb]
|
|
|
|
[idx_m-tic_glpi_sep]
|
|
|
|
[idx_m-tic_glpi_obsolescence]
|
|
|
|
[idx_m-tic_genetec_sc]
|
|
|
|
[idx_ldap]
|
|
|
|
[idx_m-tic_synology]
|
|
|
|
[msad]
|
|
#maxHotBuckets = 10
|
|
|
|
[perfmon]
|
|
#maxHotBuckets = 10
|
|
|
|
[winmetrics]
|
|
|
|
[winevents]
|
|
#maxHotBuckets = 10
|
|
|
|
[windows]
|
|
#maxHotBuckets = 10
|
|
|
|
[wineventlog]
|
|
#maxHotBuckets = 10
|
|
|
|
# # Overview. Below you will find the basic indexes.conf settings for
|
|
# # setting up your indexes in Splunk. We separate into different indexes
|
|
# # to allow for performance (in some cases) or data isolation in others.
|
|
# # All indexes come preconfigured with a relatively short retention period
|
|
# # that should work for everyone, but if you have more disk space, we
|
|
# # encourage (and usually see) longer retention periods, particularly
|
|
# # for security customers.
|
|
|
|
# # Endpoint Indexes used for Splunk Security Essentials.
|
|
# # If you have the sources, other standard indexes we recommend include:
|
|
# # epproxy - Local Proxy Activity
|
|
|
|
# [epav]
|
|
# coldPath = $SPLUNK_DB/epav/colddb
|
|
# homePath = $SPLUNK_DB/epav/db
|
|
# thawedPath = $SPLUNK_DB/epav/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [epfw]
|
|
# coldPath = $SPLUNK_DB/epnet/colddb
|
|
# homePath = $SPLUNK_DB/epnet/db
|
|
# thawedPath = $SPLUNK_DB/epnet/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [ephids]
|
|
# coldPath = $SPLUNK_DB/epmon/colddb
|
|
# homePath = $SPLUNK_DB/epmon/db
|
|
# thawedPath = $SPLUNK_DB/epmon/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [epintel]
|
|
# coldPath = $SPLUNK_DB/epweb/colddb
|
|
# homePath = $SPLUNK_DB/epweb/db
|
|
# thawedPath = $SPLUNK_DB/epweb/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [oswin]
|
|
# coldPath = $SPLUNK_DB/oswin/colddb
|
|
# homePath = $SPLUNK_DB/oswin/db
|
|
# thawedPath = $SPLUNK_DB/oswin/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [oswinsec]
|
|
# coldPath = $SPLUNK_DB/oswinsec/colddb
|
|
# homePath = $SPLUNK_DB/oswinsec/db
|
|
# thawedPath = $SPLUNK_DB/oswinsec/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [oswinscript]
|
|
# coldPath = $SPLUNK_DB/oswinscript/colddb
|
|
# homePath = $SPLUNK_DB/oswinscript/db
|
|
# thawedPath = $SPLUNK_DB/oswinscript/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [oswinperf]
|
|
# coldPath = $SPLUNK_DB/oswinperf/colddb
|
|
# homePath = $SPLUNK_DB/oswinperf/db
|
|
# thawedPath = $SPLUNK_DB/oswinperf/thaweddb
|
|
# frozenTimePeriodInSecs = 604800
|
|
# #7 days
|
|
|
|
# [osnix]
|
|
# coldPath = $SPLUNK_DB/osnix/colddb
|
|
# homePath = $SPLUNK_DB/osnix/db
|
|
# thawedPath = $SPLUNK_DB/osnix/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [osnixsec]
|
|
# coldPath = $SPLUNK_DB/osnixsec/colddb
|
|
# homePath = $SPLUNK_DB/osnixsec/db
|
|
# thawedPath = $SPLUNK_DB/osnixsec/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [osnixscript]
|
|
# coldPath = $SPLUNK_DB/osnixscript/colddb
|
|
# homePath = $SPLUNK_DB/osnixscript/db
|
|
# thawedPath = $SPLUNK_DB/osnixscript/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [osnixperf]
|
|
# coldPath = $SPLUNK_DB/osnixperf/colddb
|
|
# homePath = $SPLUNK_DB/osnixperf/db
|
|
# thawedPath = $SPLUNK_DB/osnixperf/thaweddb
|
|
# frozenTimePeriodInSecs = 604800
|
|
# #7 days
|
|
|
|
# # Network Indexes used for Splunk Security Essentials
|
|
# # If you have the sources, other standard indexes we recommend include:
|
|
# # netauth - for network authentication sources
|
|
# # netflow - for netflow data
|
|
# # netids - for dedicated IPS environments
|
|
# # netipam - for IPAM systems
|
|
# # netnlb - for non-web server load balancer data (e.g., DNS, SMTP, SIP, etc.)
|
|
# # netops - for general network system data (such as Cisco iOS non-netflow logs)
|
|
# # netvuln - for Network Vulnerability Data
|
|
|
|
# [netdns]
|
|
# coldPath = $SPLUNK_DB/netdns/colddb
|
|
# homePath = $SPLUNK_DB/netdns/db
|
|
# thawedPath = $SPLUNK_DB/netdns/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [mail]
|
|
# coldPath = $SPLUNK_DB/mail/colddb
|
|
# homePath = $SPLUNK_DB/mail/db
|
|
# thawedPath = $SPLUNK_DB/mail/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [netfw]
|
|
# coldPath = $SPLUNK_DB/netfw/colddb
|
|
# homePath = $SPLUNK_DB/netfw/db
|
|
# thawedPath = $SPLUNK_DB/netfw/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [netops]
|
|
# coldPath = $SPLUNK_DB/netops/colddb
|
|
# homePath = $SPLUNK_DB/netops/db
|
|
# thawedPath = $SPLUNK_DB/netops/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [netproxy]
|
|
# coldPath = $SPLUNK_DB/netproxy/colddb
|
|
# homePath = $SPLUNK_DB/netproxy/db
|
|
# thawedPath = $SPLUNK_DB/netproxy/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
# [netvpn]
|
|
# coldPath = $SPLUNK_DB/netvpn/colddb
|
|
# homePath = $SPLUNK_DB/netvpn/db
|
|
# thawedPath = $SPLUNK_DB/netvpn/thaweddb
|
|
# frozenTimePeriodInSecs = 2592000
|
|
# #30 days
|
|
|
|
|
|
# # Splunk Security Essentials doesn't have examples of Application Security,
|
|
# # but if you want to ingest those logs, here are the recommended indexes:
|
|
# # appwebint - Internal WebApp Access Logs
|
|
# # appwebext - External WebApp Access Logs
|
|
# # appwebintrp - Internal-facing Web App Load Balancers
|
|
# # appwebextrp - External-facing Web App Load Balancers
|
|
# # appwebcdn - CDN logs for your website
|
|
# # appdbserver - Database Servers
|
|
# # appmsgserver - Messaging Servers
|
|
# # appint - App Servers for internal-facing apps
|
|
# # appext - App Servers for external-facing apps |