Deployment Architecture

Default indexes in Splunk Enterprise

reallyliri
Explorer

My Splunk Enterprise is running for a few months.

I'm sending all my logs (HEC and UDP) to index "main".

However, I see some indexes defined, mainly I'm concerned about the top-consuming ones: _audit, _internal and _introspection.

indexes

What processes are sending data to them? What value is that for me? Is it consuming my license quota? And where can I configure/disable these?

Thanks

0 Karma

renjith_nair
Legend

@reallyliri,

_audit : Events from the file system change monitor, auditing, and all user search history.
- Details : Audit Splunk activity

_internal : This index includes Splunk Enterprise internal logs and metrics.
- Details are in What Splunk software logs about itself

_introspection : Instrumentation data about your Splunk instance and environment and writes that data to log files to aid in reporting on system resource utilization and troubleshooting problems with your Splunk Enterprise deployment .
- More details : About Splunk Enterprise platform instrumentation

About the licensing, it does not count against your license:

Use the "Indexing volume" status dashboard in the Search app to see details about index volume in your infrastructure. Note that the overview includes internal indexing, which does not count against your license.

License violations

Hope that helps!

---
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...