Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure and deploy indexes

implements custom indexes for event storage. The indexes are defined across the apps provided with .

  • In a single server deployment, the installation of Enterprise Security creates the indexes in the default path for data storage. For an architectural overview, see Single server deployments in this manual.
  • In a Splunk Cloud deployment, customers will work with Splunk Support to setup, manage, and maintain their cloud index parameters. For information on Splunk Cloud index settings, see the Manage indexes topic in the Splunk Cloud Admin Manual.
  • In a distributed search deployment, the indexes must be created on all Splunk platform indexers or search peers. For an architectural overview, see Distributed search deployments in this manual.

Index configuration

The indexes defined in do not provide configuration settings to address:

  • Multiple storage paths
  • Accelerated data models
  • Data retention
  • Bucket sizing
  • Use of volume parameters.

For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.

Indexes by app

App context Indexes Description
DA-ESS-ThreatIntelligence ioc Unused in this release.
threat_activity Contains events that result from a threat list match.
SA-AccessProtection access_summary Deprecated in this release. See the Authentication data model.
access_summary2 Deprecated in this release. See the Authentication data model.
SA-AuditAndDataProtection audit_summary Audit and data protection summary index.
audit_summary2 Audit and data protection summary index.
SA-EndpointProtection endpoint_summary Endpoint protection summary index.
endpoint_summary2 Endpoint protection summary index.
SA-IdentityManagement session_start Session management summary index.
session_end Session management summary index.
SA-ThreatIntelligence notable Contains the notable events.
notable_summary Contains a stats summary of notable events used on select dashboards.
risk Contains the risk modifier events.
SA-NetworkProtection network_summary
network_summary2
network_summary3		 Network summary index.
traffic_center_summary
traffic_center_summary2		 Traffic Center summary index.
proxy_center_summary
proxy_center_summary2		 Proxy Center summary index.
whois WHOIS data index.
Splunk_SA_CIM cim_summary Unused in this release.
cim_modactions Contains the adaptive response action events.
Splunk_SA_ExtremeSearch xtreme_contexts Contains the contexts for Extreme search.

In addition, the add-ons might include custom indexes defined in an indexes.conf file.

Index deployment

includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head and assemble them into one add-on. For more details, see Distributed Configuration Management in this manual.

Last modified on 29 April, 2021
Install and deploy add-ons   Configure users and roles

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters