Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome to the Splunk Enterprise Certified Administrator course on Cyber A. This is less than 5.4 indexes dot com where we'll be talking in depth about what indexes dot com for look like and some of the configurations you can make in that file learning objectives are gonna be
00:18
setting bucket paths, setting bucket role criteria and applying retention policies to your buckets.
00:25
Why are we learning this? Well, essentially, we talked about indexes and how all these configurations can be made in depth throughout the past few lessons, and now this will walk through the actual configuration file and teach you how to do those configurations to kind of wrap that information together.
00:44
So indexes dot com structure. So this is gonna be structured similar to any other index by our comp dot com file, where consists of stanzas, followed by attributes where the stands that defines the basically, what the settings are being applied to, and then the attributes
01:03
to find the actual
01:04
configurations.
01:06
So when I do my indexes dot com files, I always do my volume definitions at the top, and then once I've defined my volumes, I start defining my individual indexes this so the stands the name by the full will.
01:22
If you don't specify anything else, if you just type of name that's going to be defining an index, and whatever name you put in the stanza will be the name of the index. If you want to define a volume, you need to use the volume colon, whatever the name is
01:40
in your square brackets. To make a volume,
01:44
your attributes that you'll put under your indexes will define all kinds of things about the index, such as like the path the size, that retention time, you know, the number of warm buckets and a couple other things. But we're gonna discuss those in depth in the next couple of slides.
02:02
So here are the attributes that you would use to define
02:07
basically the different paths associated with your index, so the home bath will specify where you're hot and warm buckets are stored. Your cold path will specify where you were. Cold buckets are stored. If you specify a cold, the frozen dirt that will give you a frozen directory
02:25
and then if you do cold differs and script, that would be to basically run a script to move the data off from the local device to some remote frozen storage
02:39
and then, as far, is actually configuring the buckets with your attributes. These are the ones who would use so Max. Data size will specify the max size for a hot bucket. Max Hot pockets will obviously specify the maximum number of hot buckets you're allowed.
02:55
Warm DB Max Warm DD account will specify the max number of warm buckets You can have
03:01
homeopath that Max data size and be will specify the max size for your homeopath, which, as we mentioned before, is where you're hot and warm. Buckets, air, sword and cold path. That max status size MB will specify the max size for your cold storage if you want. Oh, if you want to enforce some limitations
03:21
by bucket type
03:23
and then as for his index retention setting, so these are the settings you're going to use if you're enforcing a retention policy,
03:30
so you're inside this in advance. What is the maximum amount of data I want a store, and what is the maximum time frame for storing that data? But keep in mind if either one of these is if either one of these restrictions is hit
03:46
than your data will automatically roll to frozen. So even if you wanted toe have a longer retention period.
03:53
But you hit your Mac status eyes, you're gonna start rolling down a frozen, which means you may not be meeting your attention requirements, so just pay careful attention to that. So Max, total data size MB will specify. The max size and frozen time period in seconds will specify how old you'll how old data will be
04:14
in seconds
04:15
for its rolled frozen.
04:17
So a quick note on volumes I know we mentioned them earlier. What they are is essentially just ah, grouping of indexes, so you can you can create a volume, and then you can have the paths for different indexes right to that volume.
04:36
And then you can set specific size limits
04:40
on the volume so you can manage multiple indexes at once. The only thing to keep in mind here is that any limitations on the ball yume so, for example, size limitations will supersede your index specific limitations. So if
05:00
one index is hogging mostly data available on the volume,
05:04
then you may not meet your attention periods because when the volumes filled, it will start rolling data to frozen, regardless of what the index specific setting is.
05:17
So here's an example
05:19
of what it would look like if you configure the volume. And like I mentioned in the first slide, um, I always to find my volumes at the top. So here the two volumes volume Colon. The name is the stanza, which, which
05:34
indicates, Hey, this is a volume and then also tells you what the volume should be named so that you can reference it later
05:41
and you specify a path and the max size there and then a Z. You can see later on where these indexes I one I two and Main are being defined. They can reference the volume as their path.
05:55
Um, so that's what this would look like. And it's kind of nice, because you can use the volume as a kind of shorthand if you want.
06:08
So in this video we covered the different basically well. First, we started with the structure of indexes dot com, and we talked about the different attributes available for defining where the index's buckets will reside. Where, the or what,
06:26
what settings they'll use to determine when buckets roll over on. Also, the index
06:31
spent settings for retention, whether it be by time or data size. And we also discussed volumes and looked at a sample configuration where there were several Index is actually using a volume, so that wraps up this lesson and we'll see you in the next video.

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor