Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the advantages and disadvantages of placing logs from multiple applications in different indexes?

NatWong
Explorer
‎06-22-2015 08:15 PM

Hi,

I am sending logs from multiple applications to SPLUNK. Would appreciate advice on what are the advantages/disadvantages of placing those apps logs in different indexes (i.e. applicationA_index , applicationB_index) as compared to one index.

Thanks in advance gurus !

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-22-2015 09:41 PM

The hard reasons for separate indexes are retention time, maximum index size, and access restrictions.

If two logs end up in the same index, they will...

  • age out at the same time
  • get cleaned up upon occupying the same amount of disk space
  • are searchable by the same roles

A softer reason would be as an additional layer of hierarchy/structure to logically separate your data.
Another softer reason can be performance, for example if you have a very high volume source and a very low volume source. By separating the two you may improve search performance on the low volume source. I wouldn't compromise maintainability for this though unless you observe real issues.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-22-2015 09:41 PM

The hard reasons for separate indexes are retention time, maximum index size, and access restrictions.

If two logs end up in the same index, they will...

  • age out at the same time
  • get cleaned up upon occupying the same amount of disk space
  • are searchable by the same roles

A softer reason would be as an additional layer of hierarchy/structure to logically separate your data.
Another softer reason can be performance, for example if you have a very high volume source and a very low volume source. By separating the two you may improve search performance on the low volume source. I wouldn't compromise maintainability for this though unless you observe real issues.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...