Solved: creating index under the main

Hindoo · ‎04-04-2015

I want to hold the logs arriving by source

stephane_cyrill · ‎04-04-2015

Hi,
If you know where to find the log or where the logs are stored, you can create a summary index with a well build request that fetch arriving log event by source and place then in a dedicared index that you can create.

To create summary indexing in splunk web(with splunk 6.2) go to Setting--->Search,alert,report--->add new.

View solution in original post

NOUMSSI · ‎04-04-2015

Hi,
By default, some logs are in index _internal. so you can send logs that you want in another index.
To do that, you must know the source of the logs that you want to send and you must create the index that will receive those logs.
If you have all ready done that, run this search:

index=_internal source=the_source_of_your_logs |collect index=new_index

You can create an alert that will run this search during a given periode

NOUMSSI · ‎04-06-2015

Hi,

when you create your summary indexing use this search code:

index=_internal source=the_source_of_your_logs |table status log_level ...

martin_mueller · ‎04-04-2015

Could you elaborate on your actual question?

stephane_cyrill · ‎04-04-2015

Hi,
If you know where to find the log or where the logs are stored, you can create a summary index with a well build request that fetch arriving log event by source and place then in a dedicared index that you can create.

To create summary indexing in splunk web(with splunk 6.2) go to Setting--->Search,alert,report--->add new.

Hindoo · ‎04-05-2015

Hello
Thanks a lot. It helped me..
But what we wrote in the search and search name fields

martin_mueller · ‎04-05-2015

What are you actually trying to do?

creating index under the main

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout