Create a Splunk Cloud Platform metrics index

To create an metrics index:

  1. Select Settings > Indexes.
  2. Click New Index
  3. In the Index name field, specify a unique name for the index. Names must begin with a lowercase letter or a number and can include uppercase letters, hyphens, and underscores.
  4. Set Index Data Type to Metrics.
  5. (Optional) Set Timestamp Resolution to Milliseconds if you want the metrics index to store metric data points at that increased level of granularity. Metrics indexes with millisecond timestamp resolution have decreased search performance. See Metrics indexes with millisecond timestamps.
  6. In the Max raw data size field, specify the maximum amount of raw data allowed before data is removed from the index. Set this value to zero to specify an unlimited maximum raw data size. This is a data retention setting.
  7. In the Searchable time (days) field, specify the number of days before an event is removed from an index. This is a data retention setting.
  8. In the Dynamic Data Storage field, select Splunk Archive to send data to the Splunk Dynamic Data Active Archive, or choose Self Storage to move expired data to your own self-storage area. If you don't want to maintain expired Splunk data, leave No additional storage selected.
  9. If you enabled data self storage, select a location for data self storage. Or, click Edit self storage locations to add a new self storage location. For more information about data self storage and instructions for configuring a data self storage location, see Manage your Indexes and Data in Splunk Cloud.
  10. If you enabled Dynamic Data Active Archive, configure retention settings for the archive. For more information, see Archive expired Splunk Cloud Platform data.
  11. Click Save.
  12. Required step for Classic Experience customers: If this new index must be available to data collection apps on your IDM, contact Splunk Support and request they sync the index with your IDM. This ensures communication between the new index and any data collection apps running on the IDM. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.

The metrics index appears after you refresh the page. Retention settings are applied to individual indexes, and data retention policy settings apply to all of the data that is stored in your Splunk Cloud deployment. Monitor and verify that the data retention settings for all indexes does not meet or exceed the values set in the data retention policy. For more information, see Data retention.

Metrics indexes with millisecond timestamps

By default, metrics indexes are only searchable at a second-by-second precision. This is unlike events indexes, which can be searched with subsecond precision by default.

If you are dealing with a high volume source of metric data, such as a utility grid that has the potential to generate millions of metric data points per second, this means that the metric index is populated with sample metric data points or metric data points that are aggregated views of the raw metric data, taken at regular intervals.

If you are concerned about high index volume, this can be a good thing. Having second precision metrics indexes keeps your indexes lean and saves you from having to search through huge numbers of events over relatively short time ranges. But this also means that you cannot cannot run time-based metrics searches that have subsecond precision. Similarly, you cannot set up mstats searches that group by subsecond span values.

If you need the capability to perform metric searches with subsecond precision, give your new metric index a Timestamp Resolution of Milliseconds. Metrics indexes with millisecond timestamp resolution can have decreased search performance in comparison to metrics indexes that have the default second timestamp precision.

Note: Metrics indexes set to millisecond precision might incur more license usage than similar metrics indexes set to second precision. The license cost per metric data point remains the same, but millisecond-precision indexes can index more data points than second-precision indexes ingesting data from the same source.

About changing timestamp resolutions of metrics indexes

You can change the timestamp resolution of a metrics index after you create it. However, if you change the timestamp resolution of a metrics index from millisecond to second, it may look like data loss to people who regularly run searches against that metrics index. This is because the index won't ingest data at millisecond resolution after the change.

When your index is at millisecond timestamp resolution, your indexed metric data points might have timestamps like this.

_timestamp (seconds)
1.000
1.001
1.002
2.000
2.435
3.123
3.651
4.000

After four seconds, if you change the timestamp resolution from millisecond timestamp resolution to second timestamp resolution, your index is restricted to indexing one metric data point per second:

_timestamp (seconds)
5.000
6.000
7.000
8.000
9.000

Some users may perceive this as a data loss when in fact they are just seeing their data with a less granular timestamp resolution.

Similarly, users of a metrics index that is switched from a second timestamp resolution to a millisecond timestamp resolution may be surprised to see their indexes ingesting more events than they did before the switch.

As an administrator of a Splunk Cloud Platform deployment it is up to you to communicate this change and its implications to your users.