Solved: Is it possible to disable the main index?

ronak1308 · ‎06-28-2016

When I try to disable main index in Splunk Enterprise it gives me the following error:

In handler 'indexes': cannot disable idx=main, is internal

woodcock · ‎07-04-2016

Just remove main from Indexes searched by default and Available search indexes from the User role.

View solution in original post

inventsekar · ‎07-04-2016

For the learning purposes, may we know why you would like disable the main index, please.

ronak1308 · ‎07-04-2016

I want to disable main index because my one application's data is being indexed in main index and other application's data in other index, so in order to test that we are getting same fields from both the applications I need to disable the indexes of one application and test the other. And moreover I can't delete any of the applications which would be the most easiest way to test.

woodcock · ‎07-04-2016

just specify index=other to avoid pulling in the Indexes searched by default setting (which contains Index=main).

woodcock · ‎07-04-2016

Just remove main from Indexes searched by default and Available search indexes from the User role.

Is it possible to disable the main index?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann