Splunk Search

Searching and reporting against custom indexes

salighie
New Member

I created a new Index for syslogservers to store remote syslog messages coming in on a Data Input UDP:514;

The index name is 'syslogservers'. I've configured and stored it in the same directory as the other (default) indexes;

However when i try to run a search for events with filter source="UDP:514" the search comes back with no events.

looking a bit closer, it seems that by default, the search only looks in the main index.

i have to add index="syslogservers" to the search filter for any events to be returned.

I've tried to figure this out, but i'm still a bit green to splunk. Is there a way to tell splunk to also search the additional index?

Any assistance you can provide would be greatly appreciated.

Instance specs:
HOST: Win2k16
Splunk Enterprise V7.2.5.1
Build: 962d9a8e1586
Search & Reporting V7.2.5.1

regards
Sebastiano

0 Karma
1 Solution

ashutoshab
Communicator

As a best practice to avoid computing overhead, by default all indexes are not searched. If you want the index 'syslogservers' to be searched by default you may go to Settings>> Access Controls >> Roles >> 'Select your Role' >> Indexes searched by default
Here you select the index 'syslogservers' to be searched by default. This will make it searchable by default.

Searching all the indexes by default is not a Splunk best practice, instead, always force the user to mention the name of the index for in the search. Searching many indexes by default, impacts performance.

View solution in original post

0 Karma

ashutoshab
Communicator

As a best practice to avoid computing overhead, by default all indexes are not searched. If you want the index 'syslogservers' to be searched by default you may go to Settings>> Access Controls >> Roles >> 'Select your Role' >> Indexes searched by default
Here you select the index 'syslogservers' to be searched by default. This will make it searchable by default.

Searching all the indexes by default is not a Splunk best practice, instead, always force the user to mention the name of the index for in the search. Searching many indexes by default, impacts performance.

0 Karma

salighie
New Member

That's what i was looking for.

thanks.

0 Karma

ashutoshab
Communicator

Welcome.

Thanks for selecting as solution.

Happy Splunking!

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

index=main OR index=syslogservers will search multiple indexes. index=* will search all the indexes you have permissions to search.

The default index that a user searches is configured as part of their user account and role. Best practice is that you specify the index that contains the data you are after, rather than use index=*

0 Karma

salighie
New Member

got it.

i am logged in as admin and assumed that it would search all indexes by default.

but, after reviewing authorize.conf, i see that its role only searches main;os by default.

ok, i get it now

thanks

0 Karma

salighie
New Member

Sorry Sduff - i wanted to award you some points but the system says i don't have enough Karma.

i appreciate your response. Ultimately, I felt that ashutoshab provided a more complete answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...