https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580484#M102413 <P>Hi..&nbsp;</P><P>1. first best practice would be, as said on previous reply, to include source's name as part of index's name.&nbsp;</P><P>maybe, if your company name is "test", you can name your indexes like, "test_windows", test_linux, test_firewall, etc</P><P>2. if you have a single splunk environment with dev/test/prod all under one splunk, then, you should have it like, .. dev_windows, test_windows, prod_windows, dev_firewall, dev_proxy, etc</P><P>3. how critical the logs are... maybe, you include that as part of the index. example, L1_windows, L2_windows, L3_windows</P><P>4. Application names can be included as part of index name... firwall_windows, wmi_windows, java_windows, etc..&nbsp;</P><P>5. business group names as part of index names.. ... sales_windows, custom_windows, etc</P><P>&nbsp;</P><P>it all depends on how you want to segregate your logs. hope you got some ideas, thanks.&nbsp;</P> Mon, 10 Jan 2022 16:31:10 GMT inventsekar 2022-01-10T16:31:10Z https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580462#M102407 <P>Hi,</P><P>Is there a recommendation or a guideline available by Splunk on <STRONG>naming convention for INDEXES</STRONG></P><P>I have a new Splunk Enterprise environment at my company with a plan of roughly 70 data sources to be onboarded one after the other.</P><P>For example the Windows TA has&nbsp;</P><P>I would be happy for each input i can get from you.</P><P>Thank you in advance,</P><P>Jay</P><P>&nbsp;</P> Mon, 10 Jan 2022 15:01:27 GMT https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580462#M102407 ojay 2022-01-10T15:01:27Z https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580469#M102409 <P>It’s hard to say what is the best way to naming indexes (or other knowledge objects). You could found some examples from splunk documents.</P><P>Personally I prefer to use &lt;source system name&gt;_{audit,tech,apps} or similar suffix to separate security level of events. Then it depends how big your enterprise is, how many parts are in “source system name” to keep it unique in your installations including e.g. AD. Usually this leads to use abbreviations for those.</P><P>But I’m sure that there are almost as many ways than users/admins. But if/when you already have master data you should utilize it for naming all splunk KOs.</P><P>r. Ismo</P> Mon, 10 Jan 2022 15:11:45 GMT https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580469#M102409 isoutamo 2022-01-10T15:11:45Z https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580484#M102413 <P>Hi..&nbsp;</P><P>1. first best practice would be, as said on previous reply, to include source's name as part of index's name.&nbsp;</P><P>maybe, if your company name is "test", you can name your indexes like, "test_windows", test_linux, test_firewall, etc</P><P>2. if you have a single splunk environment with dev/test/prod all under one splunk, then, you should have it like, .. dev_windows, test_windows, prod_windows, dev_firewall, dev_proxy, etc</P><P>3. how critical the logs are... maybe, you include that as part of the index. example, L1_windows, L2_windows, L3_windows</P><P>4. Application names can be included as part of index name... firwall_windows, wmi_windows, java_windows, etc..&nbsp;</P><P>5. business group names as part of index names.. ... sales_windows, custom_windows, etc</P><P>&nbsp;</P><P>it all depends on how you want to segregate your logs. hope you got some ideas, thanks.&nbsp;</P> Mon, 10 Jan 2022 16:31:10 GMT https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580484#M102413 inventsekar 2022-01-10T16:31:10Z https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580486#M102414 <P>Just don't keep any spaces rest I will leave it to your imagination<span class="lia-unicode-emoji" title=":winking_face:">😉</span>.</P> Mon, 10 Jan 2022 16:36:32 GMT https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/580486#M102414 SinghK 2022-01-10T16:36:32Z https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/581900#M102544 <P>Thanks everyone, i have decided to create something like&nbsp;"technology_vendor"</P><P><SPAN>Jay</SPAN></P> Thu, 20 Jan 2022 15:02:57 GMT https://community.splunk.com/t5/Getting-Data-In/Index-naming-convention/m-p/581900#M102544 ojay 2022-01-20T15:02:57Z