Hi,
I was in the process of changing the index that certain events write to and came across a problem with a query I was using to verify the results.
This input source appears in 3 different indices right now (os, main and access).
If I search for that appears in all of them WITHOUT an index qualifier I get data from 2 of the 3 indices. If I add index=*
to the search then it finds all three indices.
How is splunk deciding what indices to include (or exclude) by default?
Thanks
You'll see events from those indexes without explicitly specifying one or more indexes in the search, that are selected as default indexes for your role(s). You can see/change this under Manager » Access controls » Roles » Some Role » Default indexes
You'll see events from those indexes without explicitly specifying one or more indexes in the search, that are selected as default indexes for your role(s). You can see/change this under Manager » Access controls » Roles » Some Role » Default indexes
Great thanks, I checked the index for any settings but didn't think of the role.
I can't see the Manager option in my splunk. We are using splunk 6.6. My splunk looks like: https://imgur.com/VxuOzxH . I don't see the Manager-> Access controls ->...
Should be under "Settings" -> "Access Controls". I guess that changed somewhere in the last ~8 years 😛
Thanks @FrankVI. My Settings doesn't have Access Control in it. Please see: https://imgur.com/a/LW6YhvV. Settings has:
Searches, reports, and alerts
Data models
Event types
Tags
Fields
Lookups
User interface
Advanced search
All configurations
By default, only the admins of your Splunk instance can see the link to Access controls page, because it deals with things like user account settings, user roles and authentication.