Solved: How to get details regarding the deleted index?

vin02 · ‎04-11-2017

One of the index(eg. index= test) has been deleted from the environment. which log i have to check for the respective details.

adonio · ‎04-14-2017

View solution in original post

adonio · ‎04-14-2017

adonio · ‎04-12-2017

try this:

index = _audit user=* action=indexes_edit
index = _internal  component=IndexWriter message="*Initializin*" component=IndexWriter | table _time idx

Or this:

index = _audit user=* action=indexes_edit object=* | table user action object

hope it helps

vin02 · ‎04-13-2017

Thanks for your response. but when i am adding my index name ,not getting any result

vin02 · ‎04-13-2017

If my index name has been changed or deleted then how do i know?

adonio · ‎04-14-2017

Can you share how you are adding your index name in search?
I am attaching a screenshot on the answer below with an index i first created, then edited and then modified and then removed.
is it a single indexer? couple of them? indexer cluster?

How to get details regarding the deleted index?

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!