Databases Reference
In-Depth Information
To route very specific events to this new index, assuming you created an index called
sensitive
, you can create a transform as follows:
[contains_password]
REGEX = (?i)password[=:]
DEST_KEY = _MetaData:Index
FORMAT = sensitive
You would then wire this transform to a particular
sourcetype
or
source
index in
props.conf
. See
Chapter 10
,
Configuring Splunk
, for examples.
Using more indexes to increase performance
Placing different source types in different indexes can help increase performance,
if those source types are not queried together. The disks will spend less time seeking
when accessing the source type in question.
If you have access to multiple storage devices, placing indexes on different devices
can help increase performance even more by taking advantage of different hardware
for different queries. Likewise, placing
homePath
and
coldPath
on different devices
can help performance.
However, if you regularly run queries that use multiple source types, splitting
those source types across indexes may actually hurt performance. For example,
let's imagine you have two source types called
web_access
and
web_error
.
We have the following line in
web_access
:
2012-10-19 12:53:20 code=500 session=abcdefg url=/path/to/app
And we have the following line in
web_error
:
2012-10-19 12:53:20 session=abcdefg class=LoginClass
If we want to combine these results, we could run a query like the following:
(sourcetype=web_access code=500) OR sourcetype=web_error
| transaction maxspan=2s session
| top url class
If
web_access
and
web_error
are stored in different indexes, this query will
need to access twice as many buckets and will essentially take twice as long.
Search WWH ::
Custom Search