Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index Strategy - Single index with multiple sourcetypes vs Multiple indexes with dedicated sourcetype

jagadeeshm
Contributor
‎10-09-2016 07:55 AM

Here is what we have:
8 indexers / 4 search heads / each of them are 24 core, 256GB memory and 7.6TB disk

I am trying to understand which of the following gives a better search performance -
[access permissions and retention period are same (35 days)]
Option-1: Single index, multiple sourcetypes each having data anywhere between 75 to 150GB per day.
Option-2: Single index for each of the sourcetypes that exceed 75GB per day.

Splunk documentation never talks about how big an index can be or when is it ideal to create separate indexes (excluding access permissions and retention periods).

My second question is what is the real harm in having too many indexes? What is the maximum number of indexes you have experienced/worked on a specific splunk installation?

Thanks!

Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎10-09-2016 09:06 AM

Hi jagadeeshm,

When you create a custom index, the max index size defaults to 500000 MB, but you can decrease or increase this value, as long as you have sufficient storage space on your server.

Aside from access control and varying retention policies, another reason to set up multiple indexes is to speed up search in some circumstances - has to do with the way search works.

If you have both a high-volume/high-noise data source and a low-volume data source feeding into the same index, and you search mostly for events from the low-volume data source, the search speed will be slower than necessary, because the indexer also has to search through all the data from the high-volume source. To mitigate this, you can create dedicated indexes for each data source and send data from each source to its dedicated index. Then, you can specify which index to search on. You'll probably notice an increase in search speed.

Hope this helps. Thanks!
Hunter

Reply

lukejadamec
Super Champion
‎10-09-2016 08:35 AM

Provided your network and indexers have the bandwidth and processing power to handle the throughput, it basically all comes down to searching.
1) It takes longer to search one large index, but you don't have to specify a particular index in the search.
2) If you use separate indexes for different sourcetypes, then you have to specify them in each search, but the searches are faster.

I prefer option 2 because it allows the flexibility to search everything, or specific indexes/sourcetypes as required. However, it does add the user overhead of specifying particular indexes in some searches.

Examples:
index=mycustomindex_*

Will search all of my custom indexes.

index=mycustomindex_sourcetype1 OR index=mycustomindex_sourcetype2 OR index=mycustomindex_sourcetype10

Will search only indexes for sourcetypes 1, 2 and 10.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...