Dealing with multiple indexes

If you do not set a specific index for a search, Splunk will use its main or default index (this might vary depending on the role(s) assigned to you and the default indexes currently configured). As a Splunk administrator, you can use Splunk Web, the CLI, or edit the indexes.conf file to create an unlimited number of additional indexes.

Reasons for multiple indexes

There are three main reasons why you might want (or need) to consider setting up more indexes in your Splunk environment. These are as follows:

Security: You can secure information using indexes by limiting which users can gain access to the data that is in particular indexes. When you assign users to roles, you can limit a user's searches to certain indexes ...

Get Mastering Splunk now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Splunk by James Miller

Dealing with multiple indexes

Reasons for multiple indexes

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly