Solved: Is it possible to disable the main index?

ronak1308 · ‎06-28-2016

When I try to disable main index in Splunk Enterprise it gives me the following error:

In handler 'indexes': cannot disable idx=main, is internal

woodcock · ‎07-04-2016

Just remove main from Indexes searched by default and Available search indexes from the User role.

View solution in original post

inventsekar · ‎07-04-2016

For the learning purposes, may we know why you would like disable the main index, please.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

ronak1308 · ‎07-04-2016

I want to disable main index because my one application's data is being indexed in main index and other application's data in other index, so in order to test that we are getting same fields from both the applications I need to disable the indexes of one application and test the other. And moreover I can't delete any of the applications which would be the most easiest way to test.

woodcock · ‎07-04-2016

just specify index=other to avoid pulling in the Indexes searched by default setting (which contains Index=main).

woodcock · ‎07-04-2016

Just remove main from Indexes searched by default and Available search indexes from the User role.

Is it possible to disable the main index?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience