Hi,
Is there a recommendation or a guideline available by Splunk on naming convention for INDEXES
I have a new Splunk Enterprise environment at my company with a plan of roughly 70 data sources to be onboarded one after the other.
For example the Windows TA has
I would be happy for each input i can get from you.
Thank you in advance,
Jay
Thanks everyone, i have decided to create something like "technology_vendor"
Jay
Just don't keep any spaces rest I will leave it to your imagination😉.
Hi..
1. first best practice would be, as said on previous reply, to include source's name as part of index's name.
maybe, if your company name is "test", you can name your indexes like, "test_windows", test_linux, test_firewall, etc
2. if you have a single splunk environment with dev/test/prod all under one splunk, then, you should have it like, .. dev_windows, test_windows, prod_windows, dev_firewall, dev_proxy, etc
3. how critical the logs are... maybe, you include that as part of the index. example, L1_windows, L2_windows, L3_windows
4. Application names can be included as part of index name... firwall_windows, wmi_windows, java_windows, etc..
5. business group names as part of index names.. ... sales_windows, custom_windows, etc
it all depends on how you want to segregate your logs. hope you got some ideas, thanks.
It’s hard to say what is the best way to naming indexes (or other knowledge objects). You could found some examples from splunk documents.
Personally I prefer to use <source system name>_{audit,tech,apps} or similar suffix to separate security level of events. Then it depends how big your enterprise is, how many parts are in “source system name” to keep it unique in your installations including e.g. AD. Usually this leads to use abbreviations for those.
But I’m sure that there are almost as many ways than users/admins. But if/when you already have master data you should utilize it for naming all splunk KOs.
r. Ismo