Splunk Search

Searching and reporting against custom indexes

salighie
New Member

I created a new Index for syslogservers to store remote syslog messages coming in on a Data Input UDP:514;

The index name is 'syslogservers'. I've configured and stored it in the same directory as the other (default) indexes;

However when i try to run a search for events with filter source="UDP:514" the search comes back with no events.

looking a bit closer, it seems that by default, the search only looks in the main index.

i have to add index="syslogservers" to the search filter for any events to be returned.

I've tried to figure this out, but i'm still a bit green to splunk. Is there a way to tell splunk to also search the additional index?

Any assistance you can provide would be greatly appreciated.

Instance specs:
HOST: Win2k16
Splunk Enterprise V7.2.5.1
Build: 962d9a8e1586
Search & Reporting V7.2.5.1

regards
Sebastiano

0 Karma
1 Solution

ashutoshab
Communicator

As a best practice to avoid computing overhead, by default all indexes are not searched. If you want the index 'syslogservers' to be searched by default you may go to Settings>> Access Controls >> Roles >> 'Select your Role' >> Indexes searched by default
Here you select the index 'syslogservers' to be searched by default. This will make it searchable by default.

Searching all the indexes by default is not a Splunk best practice, instead, always force the user to mention the name of the index for in the search. Searching many indexes by default, impacts performance.

View solution in original post

0 Karma

ashutoshab
Communicator

As a best practice to avoid computing overhead, by default all indexes are not searched. If you want the index 'syslogservers' to be searched by default you may go to Settings>> Access Controls >> Roles >> 'Select your Role' >> Indexes searched by default
Here you select the index 'syslogservers' to be searched by default. This will make it searchable by default.

Searching all the indexes by default is not a Splunk best practice, instead, always force the user to mention the name of the index for in the search. Searching many indexes by default, impacts performance.

0 Karma

salighie
New Member

That's what i was looking for.

thanks.

0 Karma

ashutoshab
Communicator

Welcome.

Thanks for selecting as solution.

Happy Splunking!

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

index=main OR index=syslogservers will search multiple indexes. index=* will search all the indexes you have permissions to search.

The default index that a user searches is configured as part of their user account and role. Best practice is that you specify the index that contains the data you are after, rather than use index=*

0 Karma

salighie
New Member

got it.

i am logged in as admin and assumed that it would search all indexes by default.

but, after reviewing authorize.conf, i see that its role only searches main;os by default.

ok, i get it now

thanks

0 Karma

salighie
New Member

Sorry Sduff - i wanted to award you some points but the system says i don't have enough Karma.

i appreciate your response. Ultimately, I felt that ashutoshab provided a more complete answer.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...