Configure and deploy indexes for Splunk Enterprise Security
Splunk Enterprise Security implements custom indexes for event storage. The indexes are defined across the apps provided with Splunk Enterprise Security.
- In a single instance deployment, the installation of Splunk Enterprise Security creates the indexes in the default path for data storage.
- In a Splunk Cloud Platform deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters.
- In a distributed deployment, create the indexes on all Splunk platform indexers or search peers.
Index configuration
The indexes defined in Splunk Enterprise Security do not provide configuration settings to address:
- Multiple storage paths
- Accelerated data models
- Data retention
- Bucket sizing
- Use of volume parameters.
Indexes by app
You might see additional or fewer indexes, depending on your capabilities and which apps you have installed. The following are non-system indexes.
| App context | Index | Description |
|---|---|---|
| DA-ESS-AccessProtection | gia_summary |
Summary index used by the Geographically Improbable Access panel on the Access Anomalies dashboard. |
| DA-ESS-ThreatIntelligence | ioc |
Unused in this release. |
threat_activity |
Contains events that result from a threat list match. | |
| DA-ESS-UEBA | ers |
Entity risk scoring index |
| DA-ESS-UEBAContent | ueba_summaries |
UEBA index |
| SA-AuditAndDataProtection | audit_summary |
Audit and Data Protection summary index. |
| SA-ContentVersioning | cms_main |
Stores content on detection versioning when versioning is turned on. For more information, see Use detection versioning in Splunk Enterprise Security. |
| SA-EndpointProtection | endpoint_summary |
Endpoint protection summary index. |
| SA-NetworkProtection | whois |
WHOIS data index. |
| SA-ThreatIntelligence | notable |
Contains the findings. |
notable_summary |
Contains a stats summary of findings used on select dashboards. | |
risk |
Contains the risk modifier events. | |
| Splunk_DA-ESS_PCICompliance | pci |
If PCI is installed, contains the PCI event data. |
pci_posture_summary |
If PCI is installed, contains the PCI compliance status history. | |
pci_summary |
If PCI is installed, contains the PCI summary data. | |
| Splunk_SA_CIM | cim_summary |
Unused in this release. |
cim_modactions |
Contains the adaptive response action events. | |
| Splunk_TA_ueba | ubaroute |
Does not contain event data. Used behind the scenes for routing to your UBA target. |
ueba |
Contains UBA events. | |
| SplunkEnterpriseSecuritySuite | ba_test |
Contains test index events for behavioral analytics service. |
Add-ons can include custom indexes defined in an indexes.conf file.
Index deployment
Splunk Enterprise Security includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head and assemble them into one add-on.
See also
For more information on managing, configuring, and deploying indexes, see the product documentation:
- Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin manual.
- indexes.conf.example in the Splunk Enterprise Admin manual.
- About managing indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
- Deploy add-ons included with Splunk Enterprise Security