I have created an inputs.conf file for deploying an app in host machine to forward data.
[monitor:///xxxxxx] index=a disabled=false sourcetype=Test
but have created an index called b and by mistake, in the inputs.conf file mentioned a, so data is came in splunk with this index but not getting where is exactly store.
Where exactly is the data sent in this scenario? How can I resolve this?
If you do not have index A created, and configure and input to send to index A, then when the input sends and the indexers do not have the index, they will drop the events and generate and invalid index error. It will not move them to another index, or put them in _internal. (_internal is internal events for splunk only.)
If you want to move the events from index A to index B, then you need to copy the buckets at the file level. ( $SPLUNK_HOME/var/lib/splunk/** )
The instructions here are pretty straightforward :
If index is not specified data will go to main index, you can get the logs by running
then specify the source from Fields sidebar then delete the event you want as per the following, but first you need to allow the user you are using to delete:
index=main source=test.gz | delete
Give user permissions to delete, from wen interface, I'll assume you are using admin user:
Settings, Access controls, Users, admin
In Assign to roles part, add can_delete, then save
Thanks for reply @mzorzi. in search it is not showing , but when i executing this query "
index=_internal (host=*xxx* OR host=*xxx*) NOT (series=_* OR series=*summary*) source=*metrics.log group=per_index_thruput earliest=-7d | timechart span=1d sum(eval(kb/1024)) AS "MB indexed" by series" , then its showing index a with amount of data. then if it in "_internal" ? then how to move this data in my actual index b ? please help me on this