Yes you can change via CLI
location -
$SPLUNK_HOME/etc/apps/user-prefs/default/user-prefs.conf
stanza -
[general_default]
default_namespace = $default
appOrder = search,search,no_search_test,lookup_editor
etc.
... View more
Hi,
Create indexes in each indexer at /etc/apps folder.
From search head go to settings - search peers--> add indexers with management port.
Forward data from forwarders to indexers directly.
Logs will be searchable from search head. No need to create index in search head. Just add indexers in search peers of search head as explained above.
... View more