What is an index in Splunk, and how do you decide indexing strategy? [Intermediate]
Answer
A Splunk index is a logical repository for events and their indexed data. I design indexes around retention, access control, data domain, volume, and compliance requirements, not around every small application.
Technical explanation
Separate indexes when data needs different retention, RBAC, sensitivity, or cost controls.
Use source, sourcetype, host, service, and fields to distinguish data inside an index.
Too many indexes increase management overhead; too few make access and retention difficult.
Hands-on example
Example strategy: index=prod_app for application logs retained 30 days, index=security for auth/security events retained 365 days, index=audit for compliance events retained 7 years, and index=dev_app retained 7 days. Limit team access by index and role.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]