Re: Indexes appear in usage report but not in inde...

sidekix24 · ‎05-04-2017

I just inherited a stand alone splunk instance and when I run the usage report by indexes, I see a couple of indexes that are ingesting data on a daily basis but I don't see those indexes in the indexes.conf or an folders for those indexes on the indexer.

Has anyone seen this before?

adonio · ‎05-04-2017

If it is a stand alone splunk,
navigate to settings -> indexes and and check the apps under App column.
there is a good posibilty there are different apps that has different indexes.conf
the TA for Windows for example has 3 indexes shipped with it: windows wineventlogs and perfmon
Or use this to search the rest endpoint and discover via search bar:

| rest /services/data/indexes 
| table title eai:acl.app

hope it helps and you find your indexes

DalJeanis · ‎05-04-2017

Chances are pretty good they are summary indexes and/or related to data model acceleration or report acceleration. The data will be stored in stash files, unless the collect command specifies a new sourcetype. Not sure whether license usage reports show the indexes that are using stash - it's not billable, but that doesn't necessarily mean it isn't on the report.

Check the section on this page about "Example of a summary index configuration" to see what to look for in savedsearches.conf ...

http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Configuresummaryindexes

Indexes appear in usage report but not in indexes.conf or on indexer

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!