When you add your “big” data to Splunk, it will process it and store it in a index (either the default main index or one you specify!). You, (as a Splunk administrator), have the ability (and responsibility) to manage your indexes (to suit your needs).
Let’s Begin!
The first step towards Splunk index management is to understand what indexes are currently available.
To view a list of the indexes (in Splunk Web) you can click on Settings and then select Indexes:
Image may be NSFW.
Clik here to view.
From the indexes page you can see all indexes currently defined (notice the preconfigured indexes: audit, main and internal):
Image may be NSFW.
Clik here to view.
You can keep this simple or go “complex”. There are a number of “index management” tasks you can perform:
- Working with multiple indexes
- Deleting or disabling indexes
- Configuring index storage properties
- Moving the index database
- Partition index data
- Set index sizes
- Limit index disk usage
- Backup indexed data
- Define an index archiving strategy
Working with multiple indexes
By default, all searches (that you don’t specify a specific index for) use the main or “default” index.
But you can create additional indexes. But why would you do that?
Reasons Why
Well, there are 3 main reasons for setting up multiple indexes in Splunk:
Security – your additional Indexes can be used to secure information by controlling user access to the data that’s in particular indexes.
Retention – Splunk (indexed) data may have to be retained for specific periods and then retired based upon certain business rules. If all of your data is written to the same index, it would be difficult to parse and manage.
Performance – With the proper indexing strategy, you can improve the performance of most searches.
Creating a New Splunk Index
Creating indexes can be done by using Splunk Web by:
- Going to Settings and then Indexes.
- Click New.
Image may be NSFW.
Clik here to view.
3, Enter the following:
the Index name, the Path/location for the index storage, the Maximum size for the index (the default is 500000 MB the maximum size of the hot (or currently written to) portion of the index and the frozen archive path (optional):
Image may be NSFW.
Clik here to view.
4. Click Save.
Image may be NSFW.
Clik here to view.
Hooray!
You’ve got a new Splunk Index!