Dealing with multiple indexes
If you do not set a specific index for a search, Splunk will use its main or default index (this might vary depending on the role(s) assigned to you and the default indexes currently configured). As a Splunk administrator, you can use Splunk Web, the CLI, or edit the indexes.conf
file to create an unlimited number of additional indexes.
Reasons for multiple indexes
There are three main reasons why you might want (or need) to consider setting up more indexes in your Splunk environment. These are as follows:
Security: You can secure information using indexes by limiting which users can gain access to the data that is in particular indexes. When you assign users to roles, you can limit a user's searches to certain indexes based on the their role.
Retention: The data that Splunk indexes might have to be preserved for an explicit amount of time and then be discarded based on certain business requirements. If all the data uses the same index, it is difficult to parse...