All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Changing the default index after installation.

jparct
Explorer
‎11-06-2017 09:15 AM

I selected the main index mistakenly during the installation of the Splunk app and add-on for Okta. How do I change this so that the correct index is selected automatically? The index I configured is collecting data as I can specify index=okta in a search and receive current information, it's just that the dashboards aren't displaying the any current information. Splunk 6.6.0 installed on a Ubuntu server.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎11-06-2017 09:49 PM

One possible solution would be to create a new role , put "okta" as a default index for the role and then assign this role to the users who should be accessing the dashboards.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎11-07-2017 01:21 AM

The best practice for index is the administrator to have overall control over all indexes.conf configuration. What we do is we create a single app with all index configurations and disable index configuration in all other apps.
So in your case, the best way is

  1. In your inputs.conf, ensure you make an entry index=okta in your monitor stanza along && correct sourcetype
  2. Disable any index=main in your app or default apps for the above sourcetype (if it exists). You can check this using btool
  3. enable the index settings in indexes.conf for index=okta providing correct bucket settings, rollover settings etc.

=========== example below ======

#inputs.conf
[monitor:///mycollection/location/filename]
sourcetype=required_okta_sourcetype
index = okta
blacklist = \.gz$

==

# indexes.conf

    [okta]
    homePath   = volume:home/okta/db
    coldPath   = volume:cold/okta/colddb
    thawedPath = $SPLUNK_DB/okta/thaweddb
    tstatsHomePath = volume:home/okta/datamodel_summary
    frozenTimePeriodInSecs = 34164000
    maxHotBuckets = 10
    maxDataSize = auto_high_volume
0 Karma
Reply
Solved! Jump to solution

jparct
Explorer
‎11-07-2017 08:18 AM

Thanks for this suggestion. I will explore this further.

0 Karma
Reply
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎11-06-2017 09:49 PM

One possible solution would be to create a new role , put "okta" as a default index for the role and then assign this role to the users who should be accessing the dashboards.

0 Karma
Reply
Solved! Jump to solution

jparct
Explorer
‎11-07-2017 08:18 AM

Thanks to those who answered. I opted to use the new role and set okta as the default index as it was the simplest solution. I will explore the other suggestions as well.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...