- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try to disable main index in Splunk Enterprise it gives me the following error:
In handler 'indexes': cannot disable idx=main, is internal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just remove main from Indexes searched by default and Available search indexes from the User role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the learning purposes, may we know why you would like disable the main index, please.
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to disable main index because my one application's data is being indexed in main index and other application's data in other index, so in order to test that we are getting same fields from both the applications I need to disable the indexes of one application and test the other. And moreover I can't delete any of the applications which would be the most easiest way to test.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just specify index=other to avoid pulling in the Indexes searched by default setting (which contains Index=main).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just remove main from Indexes searched by default and Available search indexes from the User role.
