Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Default indexes in Splunk free?

jamesez
New Member
‎02-23-2011 08:05 PM

I am running Splunk 4.1.7 in the free license mode.

I added an index "noise" and created a transform that moves some events to it (e.g., ssh attempts).

Any * search is grabbing entries out of "main" and "noise," which does not agree with the manual and other information provided here. I have verified the transforms do work, as they show up "index=noise" when that is added to the results view.

Is setting default indexes for searching limited to the enterprise license?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎02-23-2011 09:12 PM

Sure enough, the default index set is '*' in Splunk Free.

void UserManagerFree::getDefaultIndexes(std::set<Str> &indexes)
{
    indexes.clear();

    // Use all public indexes
    AuthorizationManagerSplunk::addMatchingIndexes("*", indexes);
}

This seems consistent with http://www.splunk.com/view/how-to-get-splunk/SP-CAAADFV which indicates that Free does not offer role based access controls. Essentially, all indexes are searched, unless manually specified.

However, we should possibly expand the section http://www.splunk.com/base/Documentation/latest/Installation/MoreAboutSplunkWithAFreeLicense since the default is definitely different in this case.

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎02-23-2011 09:12 PM

Sure enough, the default index set is '*' in Splunk Free.

void UserManagerFree::getDefaultIndexes(std::set<Str> &indexes)
{
    indexes.clear();

    // Use all public indexes
    AuthorizationManagerSplunk::addMatchingIndexes("*", indexes);
}

This seems consistent with http://www.splunk.com/view/how-to-get-splunk/SP-CAAADFV which indicates that Free does not offer role based access controls. Essentially, all indexes are searched, unless manually specified.

However, we should possibly expand the section http://www.splunk.com/base/Documentation/latest/Installation/MoreAboutSplunkWithAFreeLicense since the default is definitely different in this case.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎03-01-2011 06:29 PM

I'm not sure how it was described originally. In 3.x, we could only search one index at a time, so there was a single default. Maybe you found text from that timeframe? In early 3.x, custom indexes were not supported in Splunk Free at all, so that informed the historical choice. In any event, perhaps you could spell out how you feel it should work and why in an enhancement request? Those requests are helpful to us! These are currently submitted by the spunk support portal.

0 Karma
Reply
Solved! Jump to solution

jamesez
New Member
‎02-25-2011 03:45 PM

I'd prefer it if the way it was described originally is how it was implemented, and not *.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...