Indexes appear in usage report but not in indexes....

sidekix24 · ‎05-04-2017

I just inherited a stand alone splunk instance and when I run the usage report by indexes, I see a couple of indexes that are ingesting data on a daily basis but I don't see those indexes in the indexes.conf or an folders for those indexes on the indexer.

Has anyone seen this before?

adonio · ‎05-04-2017

If it is a stand alone splunk,
navigate to settings -> indexes and and check the apps under App column.
there is a good posibilty there are different apps that has different indexes.conf
the TA for Windows for example has 3 indexes shipped with it: windows wineventlogs and perfmon
Or use this to search the rest endpoint and discover via search bar:

| rest /services/data/indexes 
| table title eai:acl.app

hope it helps and you find your indexes

DalJeanis · ‎05-04-2017

Chances are pretty good they are summary indexes and/or related to data model acceleration or report acceleration. The data will be stored in stash files, unless the collect command specifies a new sourcetype. Not sure whether license usage reports show the indexes that are using stash - it's not billable, but that doesn't necessarily mean it isn't on the report.

Check the section on this page about "Example of a summary index configuration" to see what to look for in savedsearches.conf ...

http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Configuresummaryindexes

Indexes appear in usage report but not in indexes.conf or on indexer

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...