Configure and deploy indexes for Splunk Enterprise Security
Splunk Enterprise Security implements custom indexes for event storage. The indexes are defined across the apps provided with Splunk Enterprise Security.
- In a single instance deployment, the installation of Splunk Enterprise Security creates the indexes in the default path for data storage.
- In a Splunk Cloud Platform deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters.
- In a distributed deployment, create the indexes on all Splunk platform indexers or search peers.
Index configuration
The indexes defined in Splunk Enterprise Security do not provide configuration settings to address:
- Multiple storage paths
- Accelerated data models
- Data retention
- Bucket sizing
- Use of volume parameters.
Indexes by app
You might see additional or fewer indexes, depending on your capabilities and which apps you have installed. The following are non-system indexes.
| App context | Index | Description |
|---|---|---|
| DA-ESS-AccessProtection |
gia_summary
|
Summary index used by the Geographically Improbable Access panel on the Access Anomalies dashboard. |
| DA-ESS-ThreatIntelligence |
ioc
|
Unused in this release. |
threat_activity
|
Contains events that result from a threat list match. | |
| SA-AuditAndDataProtection |
audit_summary
|
Audit and Data Protection summary index. |
| SA-EndpointProtection |
endpoint_summary
|
Endpoint protection summary index. |
| SA-NetworkProtection |
whois
|
WHOIS data index. |
| SA-ThreatIntelligence |
notable
|
Contains the findings. |
notable_summary
|
Contains a stats summary of findings used on select dashboards. | |
risk
|
Contains the risk modifier events. | |
| Splunk_DA-ESS_PCICompliance |
pci
|
If PCI is installed, contains the PCI event data. |
pci_posture_summary
|
If PCI is installed, contains the PCI compliance status history. | |
pci_summary
|
If PCI is installed, contains the PCI summary data. | |
| Splunk_SA_CIM |
cim_summary
|
Unused in this release. |
cim_modactions
|
Contains the adaptive response action events. | |
| Splunk_TA_ueba |
ubaroute
|
Does not contain event data. Used behind the scenes for routing to your UBA target. |
ueba
|
Contains UBA events. | |
| SplunkEnterpriseSecuritySuite |
ba_test
|
Contains test index events for behavioral analytics service. |
Add-ons can include custom indexes defined in an indexes.conf file.
Index deployment
Splunk Enterprise Security includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head and assemble them into one add-on.
See also
For more information on managing, configuring, and deploying indexes, see the product documentation:
- Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin manual.
- indexes.conf.example in the Splunk Enterprise Admin manual.
- About managing indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Deploy add-ons included with Splunk Enterprise Security