With Splunk's normalizing timestamp-based event indexing capabilities combined with it's powerful search language and processing commands, one would think that all you need is one big main index.
So why is there more than one index and what are the reasons for creating additional indexes?
Mulitple indexes are indicated usually for two reasons:
Performance is not a typical consideration, and the effect of multiple indexes vs a single one for a given set of data varies greatly depending on the exact nature of the data and the exact queries or mix of queries to be performed against it.
There are performance goals as well, sparse data (login errors) will be more performant when searched apart from bulk data (firewall rule traversals). There's administrative overhead in creating multiple indexes (you have to configure them) but when you will have a large amount of data of quite different volumes in high performance environments this can be worthwhile. This is the main reason that summary indexing goes to a new index (it could use the same one).
There are more obscure cases as well for performance, such as different segmentation per index, but ideally this is not necessary.