Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. Click here for the latest version.
Acrobat logo Download topic as PDF

List of Indexes

The Enterprise Security app utilizes a number of custom indexes for event storage. Custom indexes are defined in the indexes.conf in the SA* or TA* applications that comprise the complete Enterprise Security app.

  • In a single server deployment, the indexes will be defined and reside on the same instance. For an architectural overview, see the topic on "Single server deployments" in this manual.
  • In all other deployments, the indexes must be created on all Splunk Enterprise indexers, or search peers. For an architectural overview, see the topic on "Distributed search deployments" in this manual.


The Splunk App for Enterprise Security includes the sample app SA-ForIndexers with the collection of ES custom indexes as an example for deploying a common indexes.conf as an app. The sample app is available in an archive file contained in the Enterprise Security Install App. You will need server access to unzip the archive where the sample apps are stored.

  1. Unzip this file: SplunkEnterpriseSecuritySuiteInstaller/default/src/splunk_app_es-*.zip.
  2. After unzipping, the deployment-apps can be found at: SplunkEnterpriseSecuritySuiteInstaller/default/src/etc/deployment-apps.

The SA-ForIndexers sample app indexes.conf file should be used for reference only. It does not provide comprehensive examples to address:

  • Multiple storage paths
  • Accelerated data models
  • Data Retention
  • Bucket sizing
  • Use of volume parameters.

For detailed examples, see the indexes.conf.example topic in the Splunk Enterprise Admin Manual.

Indexes by SA

App context Indexes
SA-AccessProtection * access_summary
* access_summary2
SA-AuditAndDataProtection * audit_summary
* audit_summary2
SA-EndpointProtection * endpoint_summary
* endpoint_summary2
* xtreme_contexts
SA-IdentityManagement * session_start
* session_end
DA-ESS-ThreatIntelligence * The ioc index is unused in this release.
* The threat_activity index contains threat list match events.
SA-ThreatIntelligence * The notable index contains the notable events.
* The notable_summary index contains a stats summary of notable events used on select dashboards.
* The risk index contains the risk modifier events.
SA-NetworkProtection * network_summary
* network_summary2
* network_summary3
* traffic_center_summary
* traffic_center_summary2
* proxy_center_summary
* proxy_center_summary2
* whois
Splunk_SA_CIM * cim_summary
Last modified on 14 April, 2015
Data models in the Enterprise Security app
List of reports by security domain

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters