Just don't keep any spaces rest I will leave it to your imagination😉.

Hi.. 

1. first best practice would be, as said on previous reply, to include source's name as part of index's name. 

maybe, if your company name is "test", you can name your indexes like, "test_windows", test_linux, test_firewall, etc

2. if you have a single splunk environment with dev/test/prod all under one splunk, then, you should have it like, .. dev_windows, test_windows, prod_windows, dev_firewall, dev_proxy, etc

3. how critical the logs are... maybe, you include that as part of the index. example, L1_windows, L2_windows, L3_windows

4. Application names can be included as part of index name... firwall_windows, wmi_windows, java_windows, etc.. 

5. business group names as part of index names.. ... sales_windows, custom_windows, etc

it all depends on how you want to segregate your logs. hope you got some ideas, thanks. 

It’s hard to say what is the best way to naming indexes (or other knowledge objects). You could found some examples from splunk documents.

Personally I prefer to use <source system name>_{audit,tech,apps} or similar suffix to separate security level of events. Then it depends how big your enterprise is, how many parts are in “source system name” to keep it unique in your installations including e.g. AD. Usually this leads to use abbreviations for those.

But I’m sure that there are almost as many ways than users/admins. But if/when you already have master data you should utilize it for naming all splunk KOs.

r. Ismo