Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Download topic as PDF

Manage Splunk Cloud indexes

Indexes store the data you have sent to your Splunk Cloud deployment. To manage indexes, Splunk Cloud administrators can perform these tasks:

  • Create, update, delete, and view properties of indexes.
  • Monitor the size of data in the indexes to remain within the limits of a data plan or to identify a need to increase the data plan.
  • Modify data retention settings for individual indexes.
  • Delete data from indexes.
  • Optimize search performance by managing the number of indexes and the data sources that are stored in specific indexes.
  • Delete indexes. Caution: This function deletes all data from an index and removes the index. The operation is final and cannot be reversed.

Best practices for creating indexes

Consider these best practices when creating indexes:

  • Create separate indexes for long-term and short-term data. For example, you might need to keep security logs for one year but web access logs for only one month. Using separate indexes, you can set different data retention times for each type of data.
  • Apply logical or role-based boundaries for indexes. For example, create separate indexes for different departments.
  • Devise a naming convention to easily track, navigate, and organize indexes.

The Indexes page

To view the Indexes page, select Settings > Indexes. The Indexes page lists the indexes in a Splunk Cloud deployment and allows administrators to create, update, delete, and modify the properties of indexes. To modify settings for an index, click its name.

From this page you can:

  • Create an index.
  • View index details such as the following.
    • Index name: The name specified when the index was created.
    • Max data size (GB): The maximum amount of data in gigabytes (GB) retained in the index.
    • Current size (GB): The approximate amount of data currently stored in the index.
    • Retention (Days): The maximum age of events retained in the index.
    • Event count: The number of events in the index.
    • Status: Enabled or disabled. Data in a disabled index is ignored in searches.
  • Delete an index. Caution: Deletes all data from an index and removes the index. The operation is final and cannot be reversed.

Create a Splunk Cloud index

Splunk Cloud administrators create indexes to organize data, apply role-based access permissions to indexes that contain relevant user data, fine-tune data, specify how long to retain data in indexes, and so on.

  1. Select Settings > Indexes.
  2. Click New.
  3. In the Index Name field, specify a unique name for the index. Names must begin with a lowercase letter or a number and can include uppercase letters, hyphens, and underscores.
  4. In the Max data size (GB) field, specify the maximum amount of data allowed before data is removed from the index.
  5. In the Retention (Days) field, specify the number of days before an event is removed from an index.
  6. Click Save.

The index appears after you refresh the page. Retention settings are applied to individual indexes, and data retention policy settings apply to all of the data that is stored in your Splunk Cloud deployment. Monitor and verify that the data retention settings for all indexes does not meet or exceed the values set in the data retention policy. For more information, see Splunk Cloud data policies.

Manage data retention settings

Splunk Cloud administrators can specify the settings that determine when data is removed from a specific index as follows.

  1. Select Settings > Indexes.
  2. From the Index Name column, click the index.
  3. In the Max data size (GB) field, specify the maximum amount of data allowed before data is removed from the index.
  4. In the Retention (Days) field, specify the number of days before an event is removed from an index.
  5. Click Save.

The new data retention settings appear after you refresh the page.

Disable a Splunk Cloud index

Splunk Cloud administrators can disable an index. The data in a disabled index is not queried during searches.

  1. Select Settings > Indexes.
  2. From the Indexes page, click Disable under the Status column.
  3. Click OK to disable the index.

The index status changes to Disabled after you refresh the page. Note: You cannot disable default indexes and third-party indexes from the Indexes page.

Enable a Splunk Cloud index

Splunk Cloud administrators can enable an index. Data in an enabled index can be queried during searches.

  1. Select Settings > Indexes.
  2. Click OK to enable the index.

The index status changes to Enabled after you refresh the page.

Delete index data and the index from Splunk Cloud

Splunk Cloud administrators can delete an index.

Caution: This function deletes all data from an index and removes the index. The operation is final and cannot be reversed.

  1. Select Settings > Indexes.
  2. Identify the index and click Delete from the Action column.
  3. Click OK to confirm that you want to delete the data and index from Splunk Cloud.


The data and index are deleted from Splunk Cloud and cannot be restored. Note: You cannot delete default indexes and third-party indexes from the Indexes page.

PREVIOUS
Monitor Splunk Cloud deployment health
  NEXT
Manage Splunk Cloud users and roles

This documentation applies to the following versions of Splunk Cloud: 6.6.3


Comments

Actually there is an issue on the version 6.5.x when a user tries to create or delete indexes through the UI so please ask Splunk cloud team for creation or deletion of indexes. The issue is fixed on the version 6.6.

Gjcho splunk, Splunker
May 30, 2017

@Tkomatsubara, index creation through the UI is supported.

Andrewb splunk, Splunker
March 6, 2017

Is index creation operation from UI is fully supported?
CO-32909

Tkomatsubara splunk, Splunker
February 28, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters