Some of the things to consider in creation/configuration of indexes and routing of windows data among them include access control, retention, performance, and cost recovery objectives.
Indexes are a point of administration where you can separate search access based on roles. For example, you might route sensitive data such as windows security event logs into an index which is separate from non-sensitive windows logs.
You can also set retention and tiered storage strategies on an per-index basis.. Maybe you want to keep security related indexes searchable for years and maybe you want to keep performance/metrics logs searchable for months. Among those logs you want to keep searchable for a long time, maybe you want to keep more recent events in faster storage and older events on cheaper/slower storage.
Regarding performance, many of the events produced by the windows add-on are derived from performance counters. You might want to transform/reroute those outputs from a standard index to an index optimized for metrics to reduce search costs.
Last, if you provide Splunk as a service in your organization having multiple business units feeding you windows-based data, you might want to consider routing windows data into indexes that are specific to each business unit so that you are better positioned recover costs based on storage displacement and search history.
Definitely tracking this to see where the conversation goes.
... View more