I am a bit new to Splunk and I am stuck with finding the source of an index.
I have index "summary_cherwellobject" in /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf and data is coming in this index.
"summary_cherwellobject" in /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf
homePath = $SPLUNK_DB/summary_cherwellobject/db
coldPath = $SPLUNK_DB/summary_cherwellobject/colddb
thawedPath = $SPLUNK_DB/summary_cherwellobject/thaweddb
repFactor = auto
But I don't know how data is coming. I am unable to find source file and nothing that is mentioned is related to this index in inputs.conf.
When I see the index detail: Instance report from monitoring console, it says:
host is master.dr, source is summary_cherwellobject and sourcetype is stash.
So let please help me in finding the source input of this index?
the index name and sourcetype stash indicated that your source is a scheduled saved search, use this search to find the saved search:
| rest /services/saved/searches | search auto_summarize=1 | table title eai:acl.app
Title is the name of the saved search and eat:acl.app the name of the app where the search is saved.
Hope this helps ...
View solution in original post
The stash sourcetype indicates that the index is a summary index and probably is receiving events from a search that has | collect in it. You can search for this like this:
| rest /servicesNS/-/-/saved/searches splunk_server=local
| regex search="(?ms)\|\s*collect\s+"
If you put my answer and the one from @MuS together, you have it all covered.