I would like to combine my windows security events and linux security events into 1 index. Are the indexes that some of the splunk TAs create needed?
For Example,
Splunk_TA_microsoft_ad creates about 5 of these. The nix one, creates 2.
kungfu,
The indexes are only needed if you do not plan to change the default location that some of the inputs are configured to send data to.
I would also like to say that I would recommend keeping the windows and unix separate, in case down the road you decide to limit the access to specific data (be it Windows or *Nix).
Therefore, maybe make indexes as such to make searching easier but still separates operating system.
#Windows Security Events
index = win_security
#*Nix Security Events
index = nix_security
#Therefore when you execute a search, do the below to access both sets of data
index = *_security
kungfu,
The indexes are only needed if you do not plan to change the default location that some of the inputs are configured to send data to.
I would also like to say that I would recommend keeping the windows and unix separate, in case down the road you decide to limit the access to specific data (be it Windows or *Nix).
Therefore, maybe make indexes as such to make searching easier but still separates operating system.
#Windows Security Events
index = win_security
#*Nix Security Events
index = nix_security
#Therefore when you execute a search, do the below to access both sets of data
index = *_security
I thought about doing that. Separating them out, then I was like well I can have them together. But I think i'll go back to your recommendation and follow that. That seems reasonable to me and may save headaches down the road. I just wasn't sure if any of the apps relied on those indexes specifically to do queries.
Thank you for accepting! I'm glad I could help.
Some index names are queried by 'apps' but for the most part, most apps play it safe by querying across all accessible indexes and looking for a specific 'sourcetype' instead.