Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index syntax question

trojan_81
Path Finder
‎11-27-2019 06:59 PM

Within Splunk cloud 7.2.6 - If I run a search without specifying index or sourcetype it will search the main index by default. Where can I find out what the main index consist of?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 09:05 AM

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-28-2019 11:56 AM

To see what is in main, you can run search like this:

index=main earliest=-7d latest=now | fieldsummary

As far as why it searches main, that is completely dependent on what your local Splunk admin set for the roles that your user has. The setting is called Indexes Searched by Default and whenever I am admin, I ALWAYS set all of these to <NULL>. It is VERY bad practices to write searches without specifying index because the behavior can change AT ANY TIME.

0 Karma
Reply
Solved! Jump to solution

Arpit_S
Path Finder
‎11-28-2019 10:05 AM

@trojan_81 , if you don't specify the index name splunk will search for the specified search or keyword across the list default indexes specified in the role assigned to the user you are logged in as.

That\those index(es) might include main index or not.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 09:05 AM

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎11-28-2019 06:10 AM

Do you mean what hosts, source, sourcetypes are sending data to the main index?
You can use the metadata command for that. On the Splunk search bar enter:
|metadata type=hosts index=main
You can also change hosts for sourcetypes or sources

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...