Knowledge Management

How to get details regarding the deleted index?

vin02
Path Finder

One of the index(eg. index= test) has been deleted from the environment. which log i have to check for the respective details.

Tags (2)
0 Karma
1 Solution

adonio
Ultra Champion
0 Karma

adonio
Ultra Champion

alt text

0 Karma

adonio
Ultra Champion

try this:

index = _audit user=* action=indexes_edit
index = _internal  component=IndexWriter message="*Initializin*" component=IndexWriter | table _time idx 

Or this:

index = _audit user=* action=indexes_edit object=* | table user action object

hope it helps

0 Karma

vin02
Path Finder

Thanks for your response. but when i am adding my index name ,not getting any result

0 Karma

vin02
Path Finder

If my index name has been changed or deleted then how do i know?

0 Karma

adonio
Ultra Champion

Can you share how you are adding your index name in search?
I am attaching a screenshot on the answer below with an index i first created, then edited and then modified and then removed.
is it a single indexer? couple of them? indexer cluster?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...