Managing Splunk indexes
When you add data to Splunk, the indexer processes it and stores it in a designated index (either, by default, in the main index or in the one that you identify). You can (if you are an administrator) manage Splunk indexes to suit your environmental needs or meet specific business requirements.
Getting started
Splunk index management starts with gaining an understanding of which indexes currently exist. To see a list of the indexes (using Splunk Web) you can go to Settings and then click on Indexes:
The Indexes page lists every index that is currently defined, including Splunk's preconfigured indexes: _audit, main, and _internal:
Index page listing the _audit, main, and _internal indexes
Note
In a distributed environment, where the indexer(s) and search head are potentially not part of the same Splunk instance, you should repeat this exercise for each instance.
Managing Splunk indexes can be kept simple or it can become very intricate. Index management tasks can include...
