Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I use an empty index as a placeholder for the data models without any data

Iris_Pi
Path Finder
Monday

Hello Everyone,

I'm trying to add index filtering for the datamodels in my setup. I found for some datamodels such as Vulnerabilities, there's no matching data at all.  In this case, should I create an empty index for these datamodels? so that splunk won't do useless search for them.

Please also know me if there are better solution for this case.

Thanks & Regards,
Iris

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
Tuesday
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly.
You should also check from MC that you haven't any skipped searches due to this DM update.
MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
Monday
If you are taking about CIM DMs, then there are tags which it’s using to select events into specific DM. You could restrict the base search by separate white list of indexes. This makes updating the DM more efficient as it’s not need to look all indexes to find needed events.
Usually there is no need / sense to create empty / dummy index fort that, you should just add your current indexes where that data is, into this field.
0 Karma
Reply
Solved! Jump to solution

Iris_Pi
Path Finder
Tuesday

Thank you for your reply.

I am doing what you mentioned: "You can restrict basic searches by whitelisting individual indices. This makes updating DM more efficient as there is no need to look through all indices to find the desired events".

I've added index whitelists for some of the data models. However, for some of them, I have no data ingested, so I thought maybe I should use dummy index for those data models that I don't have data for, so that splunkd doesn't need to search all indexes with certain tags and return nothing.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
Tuesday
I'm quite sure that then it helps to update empty DM quicker than looking through all indexes. Also can also update times for looking updates into it and one optimization could be to update update frequency, but as you haven't data and just add individual empty index there those are not needed to get DM updated enough quickly.
You should also check from MC that you haven't any skipped searches due to this DM update.
MC -> Search -> Scheduler (or something similar, couldn't remember those exact names)
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...