What is an index?

An index in Splunk is simply a repository for the data. It is stored on an indexer, which is a Splunk instance configured to index local and remote data. The indexed data can then be searched through a search app.

As the indexer indexes the data, it creates a bunch of files in sets of directories (called buckets). The files are organized by age. Each index occupies its own directory under $SPLUNK_HOME/var/lib/splunk. For example, here are the files for the index called testindex:

bucket

Indexes can be created with Splunk Web, the command-line interface (CLI), or by manually editing the indexes.conf file.

By default, Splunk puts all user data into a single, preconfigured index called main. Of course, you can create your own indexes for security and performance reasons.
Geek University 2021