Hello, We have Splunk in my new company and I am trying to understand Splunk and the environment. So, they have firewall logs (from one product) in 3 different indexes, one for traffic, one for threats and for other firewall logs. Is this normal? Seems a bit inefficient especially with regards to organization of logs and when searching. They also have combined 2 different firewall products into one of the indexes. I thought each product should have its own index? The person who did the deployment said that this was done for efficiency but this somehow seems to be counterproductive. Am I missing something when I have to search 3 different indexes to get complete results for a certain IP? Any advise is appreciated, Thank you, CM
... View more