Getting Data In
Highlighted

Why are we unable to find the input source of an index?

I am a bit new to Splunk and I am stuck with finding the source of an index.

I have index "summary_cherwellobject" in /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf and data is coming in this index.

[summary_cherwellobject]
homePath   = $SPLUNK_DB/summary_cherwellobject/db
coldPath   = $SPLUNK_DB/summary_cherwellobject/colddb
thawedPath = $SPLUNK_DB/summary_cherwellobject/thaweddb
repFactor = auto

But I don't know how data is coming. I am unable to find source file and nothing that is mentioned is related to this index in inputs.conf.

When I see the index detail: Instance report from monitoring console, it says:
host is master.dr, source is summary_cherwellobject and sourcetype is stash.

So let please help me in finding the source input of this index?

0 Karma
Highlighted

Re: Why are we unable to find the input source of an index?

SplunkTrust
SplunkTrust

Hi ahmadsaadwarraich,

the index name and sourcetype stash indicated that your source is a scheduled saved search, use this search to find the saved search:

| rest /services/saved/searches | search auto_summarize=1 | table title eai:acl.app

Title is the name of the saved search and eat:acl.app the name of the app where the search is saved.

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: Why are we unable to find the input source of an index?

Esteemed Legend

The stash sourcetype indicates that the index is a summary index and probably is receiving events from a search that has | collect in it. You can search for this like this:

| rest /servicesNS/-/-/saved/searches splunk_server=local
| regex search="(?ms)\|\s*collect\s+"
0 Karma
Highlighted

Re: Why are we unable to find the input source of an index?

Esteemed Legend

If you put my answer and the one from @MuS together, you have it all covered.

0 Karma