Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I use an empty index as a placeholder for the data models without any data

Iris_Pi
Path Finder
‎12-30-2024 10:20 PM

Hello Everyone,

I'm trying to add index filtering for the datamodels in my setup. I found for some datamodels such as Vulnerabilities, there's no matching data at all.  In this case, should I create an empty index for these datamodels? so that splunk won't do useless search for them.

Please also know me if there are better solution for this case.

Thanks & Regards,
Iris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 12:43 AM
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly.
You should also check from MC that you haven't any skipped searches due to this DM update.
MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 11:24 PM
If you are taking about CIM DMs, then there are tags which it’s using to select events into specific DM. You could restrict the base search by separate white list of indexes. This makes updating the DM more efficient as it’s not need to look all indexes to find needed events.
Usually there is no need / sense to create empty / dummy index fort that, you should just add your current indexes where that data is, into this field.
0 Karma
Reply
Solved! Jump to solution

Iris_Pi
Path Finder
‎12-31-2024 12:34 AM

Thank you for your reply.

I am doing what you mentioned: "You can restrict basic searches by whitelisting individual indices. This makes updating DM more efficient as there is no need to look through all indices to find the desired events".

I've added index whitelists for some of the data models. However, for some of them, I have no data ingested, so I thought maybe I should use dummy index for those data models that I don't have data for, so that splunkd doesn't need to search all indexes with certain tags and return nothing.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 12:43 AM
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly.
You should also check from MC that you haven't any skipped searches due to this DM update.
MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top