Firstly, you're thinking about your indexes in terms of a relational database. You usually don't need multiple indexes unless you need: 1) Different retention periods or 2) Different permissions to the data stored in those indexes. You can fit many different types of data into a single index. They might have different sourcetypes (and be parsed and interpreted differently), they might come from different sources and hosts. It's true that operations involving subsearches and stuff like joins are "heavy" on the splunk. And again - splunk is not a relational database, you don't need to normalize your data here. On the contrary - the more information you have within a single event and the less you have to "reach out" to other objects, the better. So your "denormalization" is a sound idea.
... View more