Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I use an empty index as a placeholder for the data models without any data

Iris_Pi
Path Finder
‎12-30-2024 10:20 PM

Hello Everyone,

I'm trying to add index filtering for the datamodels in my setup. I found for some datamodels such as Vulnerabilities, there's no matching data at all.  In this case, should I create an empty index for these datamodels? so that splunk won't do useless search for them.

Please also know me if there are better solution for this case.

Thanks & Regards,
Iris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 12:43 AM
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly.
You should also check from MC that you haven't any skipped searches due to this DM update.
MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 11:24 PM
If you are taking about CIM DMs, then there are tags which it’s using to select events into specific DM. You could restrict the base search by separate white list of indexes. This makes updating the DM more efficient as it’s not need to look all indexes to find needed events.
Usually there is no need / sense to create empty / dummy index fort that, you should just add your current indexes where that data is, into this field.
0 Karma
Reply
Solved! Jump to solution

Iris_Pi
Path Finder
‎12-31-2024 12:34 AM

Thank you for your reply.

I am doing what you mentioned: "You can restrict basic searches by whitelisting individual indices. This makes updating DM more efficient as there is no need to look through all indices to find the desired events".

I've added index whitelists for some of the data models. However, for some of them, I have no data ingested, so I thought maybe I should use dummy index for those data models that I don't have data for, so that splunkd doesn't need to search all indexes with certain tags and return nothing.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 12:43 AM
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly.
You should also check from MC that you haven't any skipped searches due to this DM update.
MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...