Every query should specify an index name before the first pipe.

index=aaa source="/var/log/tes1.log" |stats count by index

Of course, there must be data in the specified index from the specified source for there to be results.

so we cannot load index dynamically from log files, correct?

No, you cannot get the index name from a log file.

The index is specified when the data is onboarded as part of the inputs.conf settings.

At search time, data is fetched from one or more indexes.  Getting the index from a log file would mean going to an index to get a log file to get the name of an index.  Doesn't make much sense.

What problem are you trying to solve?

Hi

it depends how your roles have defined in authorizations. There is an attribute srchIndexesDefault, which define what indexes are used when you don’t use index=xyz on your query. Of course you must have access to those indexes. This is defined with an attribute srchIndexesAllowed. Those both are define in authorize.conf.

As already has said, you should always use index=xyz on your queries to use needed/wanted indexes as different roles has different default indexes.  IMHO you shouldn’t ever use srchIndexesDefault as it leads people to drop that index=xyz part away from queries.

r. Ismo

Do you get any events when you use this search? (You can also set the time range to be very large, in case the events from the log source are not in the past 24 hours. Also double-check that the source path is correct.)

index=* source="/var/ltest/test.log"