Overview of ITE Work Indexes
Splunk IT Essentials Work implements custom indexes for event storage. All ITE Work indexes are listed in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf.
- In a single instance deployment, installing ITE Work creates the indexes in the default path for data storage.
- In a Splunk Cloud Platform deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.
- In a distributed deployment, you need to create the indexes on all Splunk platform indexers or search peers.
For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.
The following table describes the indexes available in $SPLUNK_HOME/etc/apps/SA-IndexCreation/default/indexes.conf:
| Index | Description |
|---|---|
| itsi_summary | An events index that stores the results of scheduled KPI searches. Summary indexing lets you run fast searches over large data sets by spreading out the cost of a computationally expensive report over time. |
| itsi_summary_metrics | A metrics index that stores the results of scheduled KPI searches. Every KPI is summarized in both the itsi_summary events index and the metrics index. This index improves the performance of the searches dispatched by ITSI, particularly for very large environments. |
| anomaly_detection | An internal index used to support trending and cohesive anomaly detection in ITSI. |
| itsi_tracked_alerts | Stores active raw notable event data. |
| itsi_notable_audit | Stores all audit events for episodes, including actions, comments, status change, and owner change. |
| itsi_notable_archive | Stores episode metadata (tags and comments) that has been moved from the KV store after a default 6 month retention period, which begins when you close an episode in the UI. Moving data from the KV store removes extraneous data and helps improve performance. |
| itsi_grouped_alerts | Stores active episode data. |
| snmptrapd | Stores events coming in from SNMP traps. For more information, see Ingest SNMP traps into ITSI. |
| itsi_import_objects | Stores events indexed from a manual entity or service import from a CSV file. |
| itsi_im_meta | Optional index that stores Kubernetes metadata. |
| itsi_im_metrics | Stores entity data for entity discovery in ITSI. |