Understanding buckets
Buckets are an integral part of indexes; they contain raw data and index files. They are organized in the form of folders on a filesystem with a specific naming pattern. These folders are explicitly used by the Splunk indexer for data storage and search processing.
In order to learn a bit more about them, let’s look at the default _introspection index folder structure:
Figure 5.1: Splunk non-clustered index folder structure
Figure 5.1 shows the _introspection index inside the $SPLUNK_DB path. The naming convention is only applicable to non-clustered indexers. Let’s take a look at the indexes.conf file located in the $SPLUNK_HOME/etc/system/default/ directory. It contains the _introspection index settings that correlate with the folder structure in Figure 5.1:
# indexes.conf - _introspection internal index settings[_introspection] homePath = $SPLUNK_DB\_introspection\db coldPath = $SPLUNK_DB\_introspection\colddb...
