Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Trial version - Need to change the index name

VijaySrrie
Builder
‎04-09-2020 06:03 AM

Hi,

I have downloaded Splunk enterprise Trial version for Windows 64 bit. Only the Search Head is accessible?
I created a text file and got into splunk and I could see the logs under main index if suppose I need to change the name of the index where should I change? or due to trial version all the logs by default goes to main index?

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-09-2020 09:58 AM

The trial version of Splunk is a standalone instance - a combined search head and indexer.

It's not clear what is meant by "change the name of the index".

If you want to have your data go to an index other than "main", it's a matter of changing the appropriate inputs.conf file. Replace index = main with index = <something else> in the stanza for your text file. <something else> will be the name of an index from Settings->Indexes.

If you want to change the name of index 'main' to something else, that can be done. Stop Splunk, edit indexes.conf and change main to <some new name> throughout. Rename the index directory $SPLUNK_HOME/var/lib/splunk/main to $SPLUNK_HOME/var/lib/splunk/<some new name> then start Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-09-2020 09:58 AM

The trial version of Splunk is a standalone instance - a combined search head and indexer.

It's not clear what is meant by "change the name of the index".

If you want to have your data go to an index other than "main", it's a matter of changing the appropriate inputs.conf file. Replace index = main with index = <something else> in the stanza for your text file. <something else> will be the name of an index from Settings->Indexes.

If you want to change the name of index 'main' to something else, that can be done. Stop Splunk, edit indexes.conf and change main to <some new name> throughout. Rename the index directory $SPLUNK_HOME/var/lib/splunk/main to $SPLUNK_HOME/var/lib/splunk/<some new name> then start Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎04-09-2020 08:28 PM

Is it possible to stop the Splunk from GUI ? do the necessary changes in GUi ?
If not from GUI where can I find the indexes.conf file?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-10-2020 05:33 AM

You can restart Splunk from the GUI, but you cannot stop it (how would you start it?).
Indexes cannot be renamed from the GUI.
Inputs can be changed to send to a different index via the GUI.
The Linux find command can help you find the indexes.conf files. find /opt/splunk -name indexes.conf. Or use find /opt/splunk -name indexes.conf -print0 | xargs -r0 egrep "index\s=\sfoo" to references to index 'foo'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎04-11-2020 08:35 PM

ok Thank You

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...