Hi,
I'm planning the event sources for Splunk and I'd like to know (if someone could give an answer) how does splunk decide which index to use. I know from database theory that everytime a query is processed, the query plan is built and there is an opportunity for improving the performance of a query. I know in Splunk one can define new indexes but I really don't know how specific one can be (i.e., telling which field is indexed, which type of index, etcetera).
I'm about to handle a lot of events and would love to fine-tune these aspects.
One more small question: Once an index has been used in the first part of a search, the opportunity of using indexes on successive piped operations is lost (same happens once you use and index on a relational database and then perform sub-queries or joins with the remaining entries), Is this correct?
Any pointer to index internals, how indexes are chosen for a query, would be of great help.
... View more