Why does a Summary Index use the "main" index when I specified a completely different index? I have looked in inputs.conf and savedsearches.conf and cannot determine why/how the main index is being used. To be fair, we initially used main, but then decided to go with a completed different index name. Main still receives data and so does the new index.
Data will land in the index mentioned in .conf files only, can you rechek or you can troubleshoot using "btool" command,
Have you found a resolution to the issue?
I am seeing a similar issue but it seems to be random (not consistent behavior at all)
What version are you dealing with? Is it a search cluster?
it is un clear from your question if you mean to data being generated by a search and written to an index - meaning "summarized data", or to data that lands in splunk right from the source - "indexed data". by default, main is the default index if no other index is specified in inputs.conf. summary (the index) is the default summary index if no other index is specified in savedsearches.conf.
which one is it?
I mean the former -- data being generated by a search and written to a summary index. I suspect a user initially selected the main index to write to, but then changed their mind. So now, we have summary data being written to a new index and the main index. The problem is, I cannot find any reference to the main index.