Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index syntax question

trojan_81
Path Finder
‎11-27-2019 06:59 PM

Within Splunk cloud 7.2.6 - If I run a search without specifying index or sourcetype it will search the main index by default. Where can I find out what the main index consist of?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 09:05 AM

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-28-2019 11:56 AM

To see what is in main, you can run search like this:

index=main earliest=-7d latest=now | fieldsummary

As far as why it searches main, that is completely dependent on what your local Splunk admin set for the roles that your user has. The setting is called Indexes Searched by Default and whenever I am admin, I ALWAYS set all of these to <NULL>. It is VERY bad practices to write searches without specifying index because the behavior can change AT ANY TIME.

0 Karma
Reply
Solved! Jump to solution

Arpit_S
Path Finder
‎11-28-2019 10:05 AM

@trojan_81 , if you don't specify the index name splunk will search for the specified search or keyword across the list default indexes specified in the role assigned to the user you are logged in as.

That\those index(es) might include main index or not.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 09:05 AM

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎11-28-2019 06:10 AM

Do you mean what hosts, source, sourcetypes are sending data to the main index?
You can use the metadata command for that. On the Splunk search bar enter:
|metadata type=hosts index=main
You can also change hosts for sourcetypes or sources

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...