https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61500#M3723 <P>did you try by adding your indexes :</P> <PRE><CODE>Manager » Access controls » Roles » admin » Indexes searched by default </CODE></PRE> <P>or using modifying the app WSOC searches and adding a <A href="http://docs.splunk.com/Documentation/Splunk/4.3.3/User/CreateAndUseSearchMacros">macro</A></P> Mon, 17 Sep 2012 19:02:22 GMT MarioM 2012-09-17T19:02:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61499#M3722 <P>I want to use the Windows Security Operations Center (WSOC) app but My win. event logs or fragmented in many indexes. I use different indexes to keep track of different business segments and each segment keeps there windows events in there own index. I would like to pint the WSOC at all the indexes that have Win event logs. Can I do this with the configuration GUI and how?</P> Mon, 17 Sep 2012 14:55:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61499#M3722 hartfoml 2012-09-17T14:55:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61500#M3723 <P>did you try by adding your indexes :</P> <PRE><CODE>Manager » Access controls » Roles » admin » Indexes searched by default </CODE></PRE> <P>or using modifying the app WSOC searches and adding a <A href="http://docs.splunk.com/Documentation/Splunk/4.3.3/User/CreateAndUseSearchMacros">macro</A></P> Mon, 17 Sep 2012 19:02:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61500#M3723 MarioM 2012-09-17T19:02:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61501#M3724 <P>yes too many indexes to put in roles and I don't what to have to do this for all groups that need data. Can you point me or get me started on a "MACRO" that would work with this APP?</P> Mon, 17 Sep 2012 19:06:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61501#M3724 hartfoml 2012-09-17T19:06:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61502#M3725 <P>The WSOC apps (v1.1) uses macros so you can change this easily.</P> <P>Go to Manager -&gt; Advanced search -&gt; Search macros</P> <P>You should see two macros used by the application:</P> <P>windowsindex and windowssourcetype</P> <P>Feel free to modify them so they include all your indexes. You can simply enter multiple indexes with the OR keyword in the windowsindex macro, for example:</P> <PRE><CODE>index=myindex1 OR index=myindex2 </CODE></PRE> <P>This will make Splunk search through both indexes and the whole application should work automatically since all searches use this macro.</P> Mon, 17 Sep 2012 19:17:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61502#M3725 bojanz 2012-09-17T19:17:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61503#M3726 <P>you are a lifesaver thanks so much this is what I was looking for.</P> Mon, 17 Sep 2012 19:20:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61503#M3726 hartfoml 2012-09-17T19:20:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61504#M3727 <P>What if one wants to search for more than one windowssourcetype? </P> <P>I tried to do the same as you showed for the indexes and nothing seems to be happening from the change.</P> <P>I'd like to add Application and System events as well.</P> <P>Any ideas?</P> Thu, 09 Feb 2017 17:14:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/WSOC-App-with-more-than-one-index/m-p/61504#M3727 sdse78 2017-02-09T17:14:08Z