Getting Data In

How do I set the default index?

the_wolverine
Champion

I've created a custom index that I want to be my new defaultdb. Currently, my defaultdb is "main" index. I want all events without an index specified to be funneled to my new custom db. How do I do this?

1 Solution

the_wolverine
Champion

Out-of-the-box, defaultdb is set to main. To change this, edit your indexes.conf file to reflect the new default index. If you have a new index called "badger", set the following at the top (global setting):

defaultDatabase = badger

From indexes.conf.spec:

defaultDatabase = <database name>
* If no index is specified during search, Splunk searches default database. 
* Also the database displays by default on the homepage.
* Defaults to main.

View solution in original post

zotamus
New Member

You can do this by going to roles in the GUI under users and authentication (Version 8.0.1). Then find the role for the group of users and click the indexes tab. Under there you will see a default column you can check to set the default index(s).

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Even if you change the default index as per the above instructions, this wouldn't be the 'default' index, until you granted access by adding the index to 'Indexes searched by default' under Manager » Access controls » Roles » . After that point, it would be searched by default, as smisplunk indicates above.

the_wolverine
Champion

The default index above refers specifically to which index data is funneled to when an index is not specified for the datasource. But you are correct that there is a separate configuration that would need to be modified for searching if you want that index to also be the default SEARCH index.

0 Karma

smisplunk
Path Finder

If you meant the "default" index in terms of which index(es) are searched if no "index=" clause is provided in the search string, that can be done on a per-user basis from the manager (it sets srchIndexesDefault values in authorize.conf for the given role).

the_wolverine
Champion

Out-of-the-box, defaultdb is set to main. To change this, edit your indexes.conf file to reflect the new default index. If you have a new index called "badger", set the following at the top (global setting):

defaultDatabase = badger

From indexes.conf.spec:

defaultDatabase = <database name>
* If no index is specified during search, Splunk searches default database. 
* Also the database displays by default on the homepage.
* Defaults to main.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...