Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

What's a Splunk index?

The index is the repository for Splunk data. While processing incoming data, Splunk transforms the raw data into events, which it stores in indexes.

Indexes reside in flat files in a datastore on your file system. Splunk manages its index files to facilitate flexible searching and fast data retrieval, eventually archiving them according to a user-configurable schedule. Splunk handles everything with flat files; it doesn't require any third-party database software running in the background.

During indexing, Splunk processes incoming raw data to enable fast search and analysis, storing the result in an index. As part of the indexing process, Splunk adds knowledge to the data in various ways, including by:

  • Separating the datastream into individual, searchable events.
  • Creating or identifying timestamps.
  • Extracting fields such as host, source, and sourcetype.
  • Performing user-defined actions on the incoming data, such as identifying custom fields, masking sensitive data, writing new or modified keys, applying breaking rules for multi-line events, filtering unwanted events, and routing events to specified indexes or servers.

To start the indexing process, simply specify the data inputs, using Splunk Web, the CLI, or the inputs.conf file. You can add additional inputs at any time, and Splunk will begin indexing them as well. See "What Splunk can index" in the Getting Data In manual.

Splunk, by default, puts all user data into a single, preconfigured index. It also employs several other indexes for internal purposes. You can add new indexes and manage existing ones to meet your data requirements. See "Manage indexes" in this manual.

Configuration parameters and the data pipeline
How indexing works

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters