I am a bit new to Splunk and I am stuck with finding the source of an index.
I have index
"summary_cherwellobject" in /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf and data is coming in this index.
[summary_cherwellobject] homePath = $SPLUNK_DB/summary_cherwellobject/db coldPath = $SPLUNK_DB/summary_cherwellobject/colddb thawedPath = $SPLUNK_DB/summary_cherwellobject/thaweddb repFactor = auto
But I don't know how data is coming. I am unable to find source file and nothing that is mentioned is related to this index in inputs.conf.
When I see the index detail: Instance report from monitoring console, it says:
host is master.dr, source is summary_cherwellobject and sourcetype is stash.
So let please help me in finding the source input of this index?
the index name and sourcetype stash indicated that your source is a scheduled saved search, use this search to find the saved search:
| rest /services/saved/searches | search auto_summarize=1 | table title eai:acl.app
Title is the name of the saved search and
eat:acl.app the name of the app where the search is saved.
Hope this helps ...
stash sourcetype indicates that the index is a
summary index and probably is receiving events from a search that has
| collect in it. You can search for this like this:
| rest /servicesNS/-/-/saved/searches splunk_server=local | regex search="(?ms)\|\s*collect\s+"