Solved: How to get details regarding the deleted index?

vin02 · ‎04-11-2017

One of the index(eg. index= test) has been deleted from the environment. which log i have to check for the respective details.

adonio · ‎04-14-2017

View solution in original post

adonio · ‎04-14-2017

adonio · ‎04-12-2017

try this:

index = _audit user=* action=indexes_edit
index = _internal  component=IndexWriter message="*Initializin*" component=IndexWriter | table _time idx

Or this:

index = _audit user=* action=indexes_edit object=* | table user action object

hope it helps

vin02 · ‎04-13-2017

Thanks for your response. but when i am adding my index name ,not getting any result

vin02 · ‎04-13-2017

If my index name has been changed or deleted then how do i know?

adonio · ‎04-14-2017

Can you share how you are adding your index name in search?
I am attaching a screenshot on the answer below with an index i first created, then edited and then modified and then removed.
is it a single indexer? couple of them? indexer cluster?

How to get details regarding the deleted index?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector