Index Structure & Types

An index is a repository where Splunk stores processed data. By default, all data goes into the "main" index, but admins should create specific indexes for different data sources.

Splunk has two types of indexes: events indexes for general log data and metrics indexes for high-volume numeric/time-series metrics data. Metrics indexes are faster and use less storage.

Internal indexes like _internal (Splunk logs), _audit (user activity), and _introspection (performance data) are used by Splunk itself.