Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure and deploy indexes

implements custom indexes for event storage. The indexes are defined across the apps provided with .

  • In a single instance deployment, the installation of Enterprise Security creates the indexes in the default path for data storage.
  • In a Splunk Cloud Platform deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.
  • In a distributed deployment, create the indexes on all Splunk platform indexers or search peers.

Index configuration

The indexes defined in do not provide configuration settings to address:

  • Multiple storage paths
  • Accelerated data models
  • Data retention
  • Bucket sizing
  • Use of volume parameters.

For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.

Indexes by app

You might see additional or fewer indexes, depending on your capabilities and which apps you have installed. The following are non-system indexes.

App context Index Description
DA-ESS-AccessProtection gia_summary Summary index used by the Geographically Improbable Access panel on the Access Anomalies dashboard.
DA-ESS-ThreatIntelligence ioc Unused in this release.
threat_activity Contains events that result from a threat list match.
SA-AuditAndDataProtection audit_summary Audit and Data Protection summary index.
SA-EndpointProtection endpoint_summary Endpoint protection summary index.
SA-NetworkProtection whois WHOIS data index.
SA-ThreatIntelligence notable Contains the notable events.
notable_summary Contains a stats summary of notable events used on select dashboards.
risk Contains the risk modifier events.
Splunk_DA-ESS_PCICompliance pci If PCI is installed, contains the PCI event data.
pci_posture_summary If PCI is installed, contains the PCI compliance status history.
pci_summary If PCI is installed, contains the PCI summary data.
Splunk_SA_CIM cim_summary Unused in this release.
cim_modactions Contains the adaptive response action events.
Splunk_TA_ueba ubaroute Does not contain event data. Used behind the scenes for routing to your UBA target.
ueba Contains UBA events.
SplunkEnterpriseSecuritySuite sequenced_events Contains sequenced event data, after the successful termination of a sequence template.

Add-ons can include custom indexes defined in an indexes.conf file. See About managing indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Index deployment

includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head and assemble them into one add-on. For more details, see Deploy add-ons included with Splunk Enterprise Security in this manual.

Last modified on 19 January, 2022
Integrate Splunk Stream with Splunk Enterprise Security   Configure users and roles

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters