topic index syntax question in Splunk Search

index syntax question

trojan_81 — Thu, 28 Nov 2019 02:59:38 GMT

Within Splunk cloud 7.2.6 - If I run a search without specifying index or sourcetype it will search the main index by default. Where can I find out what the main index consist of?

Re: index syntax question

gfreitas — Thu, 28 Nov 2019 14:10:32 GMT

Do you mean what hosts, source, sourcetypes are sending data to the main index?
You can use the metadata command for that. On the Splunk search bar enter:
|metadata type=hosts index=main
You can also change hosts for sourcetypes or sources

Re: index syntax question

gcusello — Thu, 28 Nov 2019 17:05:57 GMT

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

Re: index syntax question

Arpit_S — Thu, 28 Nov 2019 18:05:01 GMT

@trojan_81 , if you don't specify the index name splunk will search for the specified search or keyword across the list default indexes specified in the role assigned to the user you are logged in as.

That\those index(es) might include main index or not.

Re: index syntax question

woodcock — Thu, 28 Nov 2019 19:56:27 GMT

To see what is in main, you can run search like this:

index=main earliest=-7d latest=now | fieldsummary

As far as why it searches main, that is completely dependent on what your local Splunk admin set for the roles that your user has. The setting is called Indexes Searched by Default and whenever I am admin, I ALWAYS set all of these to <NULL>. It is VERY bad practices to write searches without specifying index because the behavior can change AT ANY TIME.