Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

One Application in 3 indexes?

ChrisMalt
Engager
‎09-13-2022 01:18 PM

Hello,

We have Splunk in my new company and I am trying to understand Splunk and the environment.

So, they have firewall logs (from one product) in 3 different indexes, one for traffic, one for threats and for other firewall logs. Is this normal? Seems a bit inefficient especially with regards to organization of logs and when searching. They also have combined 2 different firewall products into one of the indexes. I thought each product should have its own index?

The person who did the deployment said that this was done for efficiency but this somehow seems to be counterproductive. Am I missing something when I have to search 3 different indexes to get complete results for a certain IP?

Any advise is appreciated,


Thank you,
CM

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chaker
Contributor
‎09-13-2022 04:52 PM

Indexes are where the data gets stored on disk.   Access control and retention periods are applied per index. If you have two sources of data in one index, if the access control or retention requirements change for either source of data, both sources will have to follow the new rules.

Keeping sources of data from the same appliance in different indexes could be a good approach for performance reasons. 

The main thing to remember is access control and retention is set per index. There is no real performance issue here, but make sure you specify the indexes in the search. If it helps, create a macro `my_fw_indexes` and include the index definitions in that.

View solution in original post

Reply
Solved! Jump to solution

ChrisMalt
Engager
‎09-14-2022 05:03 AM

So as I understand, apart from extra efforts in searches/correlations this has no impact
Thank you for the detailed replies Chaker and Gcusello.

One last question, are there any best practices for creating multiple indexes from the same application? Or just best practices for creating indexes, especially from a ES point of view?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 05:43 AM

Hi @ChrisMalt,

no there isn't any best practice for this, only the logic that I described in my previous answer.

As I said, when you satisfied the retention and access grants requirements, you can create many or few indexes as you like, using logical data grouping, my hint is only to avoid to manage too many indexes.

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-13-2022 11:52 PM

Hi @ChrisMalt,

as @chaker said, the only rules to create different indexes are:

  • retention period,
  • access rights.

In other words, you can make in an index also etherogenous data from different data sources with the same retention and the same access rights.

there aren't performances rules for this, eventually if you have different storages, you can locate your indexes  in different ones,

You can also create different logical indexes (e.g. one for wineventlog, one for appliances, etc...) but it isn'ìt mandatory and it hasn't any performance advantage, with the disadvantage of having more indexes to manage!

You could also consider this things: until you have few indexes, you can aldo crete new ones, but when you have many indexes is more difficoult to manage them in searches and access rights.

At the end, Splunk isn't a database where you have a table, with it's own fields, for each data source: in Splunk you have silos (indexes) where different data (with the same retention and access rights) are stored, data are defined by the sourcetype, infact all the knowledge object are usually associated to sourcetype (fields, eventtypes, etc...).

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

chaker
Contributor
‎09-13-2022 04:52 PM

Indexes are where the data gets stored on disk.   Access control and retention periods are applied per index. If you have two sources of data in one index, if the access control or retention requirements change for either source of data, both sources will have to follow the new rules.

Keeping sources of data from the same appliance in different indexes could be a good approach for performance reasons. 

The main thing to remember is access control and retention is set per index. There is no real performance issue here, but make sure you specify the indexes in the search. If it helps, create a macro `my_fw_indexes` and include the index definitions in that.

Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...