You might well be fine with the default scheme it uses. After a long period of time, typically several years, the indexer removes old data from your system. The indexer handles indexed data by default in a way that gracefully ages the data through several states. Why the details might, or might not, matter to you The number of buckets in an index can grow quite large, depending on how much data you're indexing and how long you retain the data. Some buckets on the indexer contain newly indexed data others contain previously indexed data. As data continues to enter the system, the indexer creates new buckets to accommodate the increase in data. The data in each bucket is bounded by a limited time range.Īn index typically consists of many buckets, and the number of buckets grows as the index grows. Each bucket contains a rawdata journal, along with associated tsidx and metadata files. The files reside in sets of directories, or buckets, organized by age. Together, these files constitute the Splunk Enterprise index. Indexes that point to the raw data ( tsidx files).The raw data in compressed form ( the rawdata journal).
As the indexer indexes your data, it creates a number of files:
