Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should I create a large number of indexes?

Gong1027
Explorer
‎08-30-2023 03:36 AM

Dear Splunk experts,

Just want to ask about the general upside/downside of creating a large number of indexes.

Thinking to create a Splunk index per application/service so we may end up with 3K to 5K indexes

But this would allow us to target <<inputs.conf>> based on application/service

Just not sure of the downside of that many indexes...

Appreciate your advice.

Labels (2)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:06 PM

That's a lot of indexes - perhaps too many.  Having thousands of indexes means having tens (or hundreds) of thousands of buckets, which makes for a lot of files to open (subject to OS limits), decompress, and read.  It increases the chances of having lots of little indexes (and buckets) that are more metadata than data, wasting resources.

Splunk recommends putting data that is commonly used together in searches into the same index for more efficient searching.

There are a few reasons for creating a new index:

1) Data has different access requirements/restrictions

2) Data has different retention requirements

3) Data is of such volume that it warrants a separate index.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:06 PM

That's a lot of indexes - perhaps too many.  Having thousands of indexes means having tens (or hundreds) of thousands of buckets, which makes for a lot of files to open (subject to OS limits), decompress, and read.  It increases the chances of having lots of little indexes (and buckets) that are more metadata than data, wasting resources.

Splunk recommends putting data that is commonly used together in searches into the same index for more efficient searching.

There are a few reasons for creating a new index:

1) Data has different access requirements/restrictions

2) Data has different retention requirements

3) Data is of such volume that it warrants a separate index.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Gong1027
Explorer
‎09-04-2023 05:42 PM

Thanks!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2023 12:30 AM

Hi

it’s just like @richgalloway said. Try to avoid to create any unnecessary indexes. There is upper limit of indexes both technical and usability point of view.

I assume that you have big indexer clusters in use and there are limit for max amount of buckets you could use some tenth millions I assume. I haven’t seen those limit since version 8 (in some conf presentation).

If you really need that amount of indexes then you probably must create several indexer clusters to manage that amount of buckets. In that case I suggest you to contact your local splunk partner or Splunk’s PS service to update your architecture!

r. Ismo

Reply
Solved! Jump to solution

Gong1027
Explorer
‎09-05-2023 06:36 PM

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...