Installation

index named "default" shows up in DMC

shubham87
Explorer

Hi All,

See below screenshot. This screenshot is from Indexing--> License Usage section in DMC. Its shows that index named "default"
has taken up almost 50 GB of our license. However i could not find this index on our indexers. Also below command does not return and index with this name.

| eventcount summarize=false index=* | dedup index | fields index

alt text

Can anyone suggest what this could be?

Regards
Shubham

Labels (1)
0 Karma

sudosplunk
Motivator

Hello,

This could be your main index. Search index=main to see if it has any data.

The main index, by default, holds all your events. It also serves as the default index for any inputs or search commands that don't specify an index name. Meaning, if you do not specify index name either by inputs.conf or transforms.conf, then splunk will make use of default (main) index to store the events. I came across below setting in indexes.conf which explains why it displays as default instead of main.

defaultDatabase = <index name>
* If no index is specified during search, Splunk searches the default index.
* The specified index displays as the default in Splunk Manager settings.
* Defaults to "main".

Run index=main | stats values(source) by host sourcetype search and note the list of the all the sources and hosts. Track the monitor stanzas which are configured for these sources and define desired index name to avoid landing of events into the main index.

0 Karma

shubham87
Explorer

index=main does not return any value in last one week. And i am running this on my DMC which is searching all splunk instances in our environment.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...