Splunk Search

How do I set the default search index in Splunk Light?

Engager

In Splunk Enterprise you can set the default search index per user. In Splunk Light you cannot it seems?

I read another post which said you can edit the \etc\system\default\indexes.conf file and set defaultDatabase=mynewindex

And yet another post that said you should create \etc\system\local\indexes.conf file and set defaultDatabase=mynewindex

I tried both and restarted Splunk after each, but neither have made a difference.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

create new file \etc\system\local\authorize.conf and add following stanza, to make that index searchable by default for all users:

[role_user]
srchIndexesDefault = main;my_new_index

If you want to restrict it to only Administrators, then use following stanza instead:

[role_admin]
srchIndexesDefault = main;my_new_index

and then restart Splunk Light.
Changing indexes.conf, will only change your default index when importing data.
Also, @somesoni2 is correct, you should never update conf files under default, as they will get overwritten upon updates.
Hope this helps.

View solution in original post

Splunk Employee
Splunk Employee

create new file \etc\system\local\authorize.conf and add following stanza, to make that index searchable by default for all users:

[role_user]
srchIndexesDefault = main;my_new_index

If you want to restrict it to only Administrators, then use following stanza instead:

[role_admin]
srchIndexesDefault = main;my_new_index

and then restart Splunk Light.
Changing indexes.conf, will only change your default index when importing data.
Also, @somesoni2 is correct, you should never update conf files under default, as they will get overwritten upon updates.
Hope this helps.

View solution in original post

SplunkTrust
SplunkTrust

The Splunk Light doesn't support role customization (the default searched index is role/user level attribute).

Also, you should never change any configuration from folder \etc\system\default\.

SplunkTrust
SplunkTrust

"all these worlds are yours, except /default - attempt no editing there"

-- @duckfez, 2010

http://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Configurationfiledirectories