Splunk Enterprise

Custom Indexes

alertsuser
New Member

If I use the Main index and using a Universal Forwarder I successfully index all event data in the Application, System and Security logs from a windows server.
However if I create with a new install of splunk custom indexes for each log type above the only events I seem to get in the logs are from the date that the custom indexes are created and not back to the first log entry on the server.
Can someone tell me if I need to instruct splunk to index all data or should it automatically pull all the events from the logs right back to the first one created?

Also using custom indexes, how do you add the Host and source types so they show on the Search Summary screen?
The only way I seem to be able to view them is by typing "index=log name" in the search box?
Thanks

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Once data is indexed in Splunk, it will not be changed. So if you want all the old events to go to the new indexes, you will need to remove the data from the indexes, and then reload it. Here are the steps:

  1. Stop the Splunk indexer
  2. Stop the Forwarder
  3. Remove the fishbucket directory on the forwarder
  4. Clean the Splunk indexes
  5. Start the indexer
  6. Start the forwarder

You can do things in a different order, if you are careful.

The Summary view only shows data from the indexes that the user is allowed to see by default. When you create new indexes, you should update the roles. For each role that should have access to the index, you need to add the index to the available indexes (unless the role has access to "all non-internal indexes"). If you also add the new index to the indexes that are searched by default, then the user will see the data from that index (sourcetypes and hosts) in the Summary view.

The reason that you have to enter index=xyz is because the index is not searched by default for your role.

View solution in original post

lguinn2
Legend

Once data is indexed in Splunk, it will not be changed. So if you want all the old events to go to the new indexes, you will need to remove the data from the indexes, and then reload it. Here are the steps:

  1. Stop the Splunk indexer
  2. Stop the Forwarder
  3. Remove the fishbucket directory on the forwarder
  4. Clean the Splunk indexes
  5. Start the indexer
  6. Start the forwarder

You can do things in a different order, if you are careful.

The Summary view only shows data from the indexes that the user is allowed to see by default. When you create new indexes, you should update the roles. For each role that should have access to the index, you need to add the index to the available indexes (unless the role has access to "all non-internal indexes"). If you also add the new index to the indexes that are searched by default, then the user will see the data from that index (sourcetypes and hosts) in the Summary view.

The reason that you have to enter index=xyz is because the index is not searched by default for your role.

Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...