In my previous post, I went through the thought process of defining a Splunk index structure. There aspects of defining this structure were covered: data access control, data retention, and search performance. Now that we understand the case for a well-defined index structure and the different factors that drive it, let's go through a use case.
An extremely bright and talented system administrator at the Panda Shoe Company (fictitious) wanted to work smarter and...