Best Practise: Different Log Sources

How do you handle different source types?
Do you create an index for every type of source i.e. an index called "unix" for all the logs coming from Linux, Solaris and Unix systems and an index "windows" for all Windows clients an servers.

That was my first impulse ...

Or do you receive everything into a "main" index and separate everything in the searches by appropriate search statements?

asked 14 May '11, 10:42

FRoth
75●7
accept rate: 9%

One Answer:

oldest newest most voted

Generally, put things in the same index unless you have a specific reason to do otherwise and understand how any why you would want it. The general reasons might include:

Differential data retention
Access control
Performance

Note that while the above are possible reasons or concerns, it doesn't mean that simply using more indexes is a solution, e.g., putting every single source into a different index will often make performance worse, or might make it better.

link

answered 14 May '11, 14:00

gkanapathy ♦
26.3k●1●6●22
accept rate: 42%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

index ×299
sourcetype ×154
best-practice ×35

Asked: 14 May '11, 10:42

Seen: 637 times

Last updated: 14 May '11, 14:00

Best Practise: Different Log Sources

Follow this question

Splunk Resources

Related questions