In my previous post, I went through the thought process of defining a Splunk index structure.  There aspects of defining this structure were covered: data access control, data retention, and search performance.  Now that we understand the case for a well-defined index structure and the different factors that drive it, let's go through a use case.

An extremely bright and talented system administrator at the Panda Shoe Company (fictitious) wanted to work smarter and...