Configuring indexes
Splunk will allow you to set the location (path) to your nonclustered indexes using Splunk Web, but the majority of the configurations must be done by editing the indexes.conf file (for this discussion, we will stick to nonclustered indexes).
The indexes.conf file should be saved at $SPLUNK_HOME/etc/system/local/ or in a custom app directory, in $SPLUNK_HOME/etc/apps/.
The following are the most interesting index configuration attributes (you can use the product documentation to review the full list):
homePath,coldPath, andthawedPath: These attributes are all required settings. These indicate where Splunk will place the index buckets (hot/warm are stored in home, cold in cold, and thawed in thawed). TheColdToFrozenDirattribute is optional and indicates where Splunk will archive data before deleting it from an index.maxHotBuckets: This attribute is the limit of hot or live index buckets, andmaxDataSizeis the attribute to limit how big a hot or live bucket can grow...
