Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I create a large number of indexes?

Gong1027
Explorer
‎08-30-2023 03:36 AM

Dear Splunk experts,

Just want to ask about the general upside/downside of creating a large number of indexes.

Thinking to create a Splunk index per application/service so we may end up with 3K to 5K indexes

But this would allow us to target <<inputs.conf>> based on application/service

Just not sure of the downside of that many indexes...

Appreciate your advice.

Labels (2)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:06 PM

That's a lot of indexes - perhaps too many.  Having thousands of indexes means having tens (or hundreds) of thousands of buckets, which makes for a lot of files to open (subject to OS limits), decompress, and read.  It increases the chances of having lots of little indexes (and buckets) that are more metadata than data, wasting resources.

Splunk recommends putting data that is commonly used together in searches into the same index for more efficient searching.

There are a few reasons for creating a new index:

1) Data has different access requirements/restrictions

2) Data has different retention requirements

3) Data is of such volume that it warrants a separate index.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:06 PM

That's a lot of indexes - perhaps too many.  Having thousands of indexes means having tens (or hundreds) of thousands of buckets, which makes for a lot of files to open (subject to OS limits), decompress, and read.  It increases the chances of having lots of little indexes (and buckets) that are more metadata than data, wasting resources.

Splunk recommends putting data that is commonly used together in searches into the same index for more efficient searching.

There are a few reasons for creating a new index:

1) Data has different access requirements/restrictions

2) Data has different retention requirements

3) Data is of such volume that it warrants a separate index.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Gong1027
Explorer
‎09-04-2023 05:42 PM

Thanks!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2023 12:30 AM

Hi

it’s just like @richgalloway said. Try to avoid to create any unnecessary indexes. There is upper limit of indexes both technical and usability point of view.

I assume that you have big indexer clusters in use and there are limit for max amount of buckets you could use some tenth millions I assume. I haven’t seen those limit since version 8 (in some conf presentation).

If you really need that amount of indexes then you probably must create several indexer clusters to manage that amount of buckets. In that case I suggest you to contact your local splunk partner or Splunk’s PS service to update your architecture!

r. Ismo

Reply
Solved! Jump to solution

Gong1027
Explorer
‎09-05-2023 06:36 PM

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...