Add-ons and indexes
Splunk stores the data that it collects in indexes. Understanding Splunk indexes is important for ensuring good performance when you search, for setting retention policies, and for providing data security (controlling who has access to the data). Out of the box, all data collected by Splunk supported add-ons is indexed to the default Splunk index, main. Splunk administrators are encouraged to change the index that is used for the source types in the add-on from the default index to another index that will meet the retention requirements and user access needs for this data source.
You can change the index that is used for the data source when configuring the add-on. Some add-ons include a setup page that allows you to specify the index to send your data to. Note that these setup pages can only list indexes that are locally configured on that node. For add-ons that do not include a setup page, or for hosts that cannot list the desired index, you can edit the
inputs.conf file directly to specify the index to use for the data collected by the input. To do this, add the following line to the input's stanza in
inputs.conf on the Splunk Enterprise component where the data is entering the system, usually a forwarder:
index = <index_name>
Note that you must first create the index and ensure that it is in place on all nodes that may receive data before data from the add-on can be routed to it.
See Set up multiple indexes in the Managing Indexers and Clusters of Indexers manual for more information about creating and using indexes.
Source types for add-ons
Syslog and timestamps
This documentation applies to the following versions of Splunk® Supported Add-ons: released