documentation update

docs/index.rst

@@ -37,8 +37,6 @@ Overview:
    binaries
    requirements
    deployment_matrix
-   deployment
-   external
 
 Processing:
 -----------
@@ -48,3 +46,15 @@ Processing:
 
    data_processing
 
+Deployment and configuration:
+-----------------------------
+
+.. toctree::
+   :maxdepth: 2
+
+   deployment
+   external
+   json_indexing
+
+
+

docs/json_indexing.rst

@@ -0,0 +1,32 @@
+###############################
+JSON indexing versus legacy CSV
+###############################
+
+Nmon data is basically generating CSV data (Comma Separated Value), and this is as well the case for the files generated by the TA-nmon
+
+**By default, the TA-nmon generates several files to be indexed in the following directories:**
+
+* $SPLUNK_HOME/var/log/nmon/var/csv_repository
+* $SPLUNK_HOME/var/log/nmon/var/config_repository
+
+In the case of the nmon performance data (the "csv_repository" 0, we generate one csv data file by nmon section. (basically per performance monitor)
+
+Then, Splunk indexes the data using the CSV "INDEXED_EXTRACTIONS" mode, these parameters are visible in "default/props.conf" under the "nmon_data" sourcetype::
+
+    [nmon_data]
+
+    FIELD_DELIMITER=,
+    FIELD_QUOTE="
+    HEADER_FIELD_LINE_NUMBER=1
+
+    # your settings
+    INDEXED_EXTRACTIONS=csv
+
+In this mode, Splunk identifies the fields name using the CSV header, then each field is indexed as an "indexed fields", to be opposed to fields extraction at search time. (like Key Value data for instance)
+
+The indexed CSV mode provides great performances at search time, and CSV data generates a low level of data volume which saves Splunk licensing costs.
+
+However, the disadvantage of this is an higher cost in storage requirements as Splunk has to generate an higher volume of tsidx files (indexed files) versus rawdata files within the indexes storage.
+
+
+