It seems that since my upgrade to Splunk 6.3 from 6.1, a new index called "default" has appeared. Also, since then, my license usage has increased. I am not sure if they are related.
Hi,
I can only speak for myself, but in 6.3.1 the main index is still present and there's no "default" index.
Maybe you installed an TA that created that index?
Kind regards
Thanks, I did install the Unix add on and app. However my split license usage does not show main anymore. It only shows default , os and one other that I created. Definitely new behavior since my upgrade.
I have the Splunk_TA_nix as well, thats not it.
Try to have a look inside the indexes.conf. Maybe you can see something there about the main index. It should be in there.
SPLUNK_HOME/etc/system/default( or local)/indexes.conf
main is still in there as a definition bu the path is: homePath = $SPLUNK_DB/defaultdb/db
Not really sure what it was called before or if it was always called this. I do know that main was always the "default" index
Thats mine, should be the default:
[main]
homePath = $SPLUNK_DB/defaultdb/db
coldPath = $SPLUNK_DB/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
tstatsHomePath = volume:_splunk_summaries/defaultdb/datamodel_summary
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume