While the indexer is indexing data, one or more instances of the splunk-optimize process will run intermittently, merging index files together to optimize performance when searching the data. The splunk-optimize process can use a significant amount of cpu but only briefly.

If splunk-optimize does not run frequently enough, searching will be less efficient.

splunk-optimize runs only on hot buckets. You can run it on warm buckets manually, if you find one with a larger number of index (.tsidx) files; typically, more than 25. To run splunk-optimize, go to $SPLUNKHOME/bin and type:

 splunk-optimize -d|--directory <bucket_directory>

splunk-optimize accepts a number of optional parameters. To see a list of available parameters, type:

splunk-optimize

To enable verbose logging from splunk-optimize to splunkd.log, you can set category.SplunkOptimize in log.cfg to INFO or DEBUG. The recommended way to do this is through the CLI:

 splunk set log-level SplunkOptimize -level DEBUG -auth admin:passwd

For more information on buckets, see How Splunk stores indexes.