Hi Silvia,
This is a very subjective question depends very much on the data requirements and env on your side . That being said, a few key items to consider would be:
Indexes:
1. Data retention: Data aging is defined at the index level. If you have two sets of data needing different handling from a retention perspective (consider even from hot warm/cold standpoint).
2. Data sizing/Hardware resources: Depending on you hardware, there should be an optimal size for you index. You do want indexes to be too large from a purely storage standpoint. So if you are short on storage and are service multiple teams ... setting up different indexes does off a good to accommodate all.
3. Search overhead: Theoretically the searches would be faster on smaller indexes than on very large indexes. If there is a requirement for certain data to be available for high /quick searches. Might be better not to mingle this data with other indexes.
Sourcetypes:
Sourcetype is one of the options you can use in props.conf to define multiple data configurations. Check out props.conf . So just from hindsight perspective it might be worthwhile not to bundle all data together just in the interest of future flexibility.
If the dataformats are different (eg, access and error logs) , having them in separate sourcetypes will better organize your data within splunk and help with above point in terms of giving you the flexibility to operate on each format differently. Example you can define lookups just on access logs and not on error logs, field extractions just on error logs etc.
2. Also sourcetypes help narrow down your searches. index=x sourcetype=y will be a faster search than index=x.
Pretty sure there are other benefits and view points which I hopes other will point out as well. But to answer question (assuming your topics are broad), yes there are advantages to splitting your data into separate indexes and sourcetypes.
... View more