Solved: Re: Searching and reporting against custom indexes

salighie · ‎04-08-2019

I created a new Index for syslogservers to store remote syslog messages coming in on a Data Input UDP:514;

The index name is 'syslogservers'. I've configured and stored it in the same directory as the other (default) indexes;

However when i try to run a search for events with filter source="UDP:514" the search comes back with no events.

looking a bit closer, it seems that by default, the search only looks in the main index.

i have to add index="syslogservers" to the search filter for any events to be returned.

I've tried to figure this out, but i'm still a bit green to splunk. Is there a way to tell splunk to also search the additional index?

Any assistance you can provide would be greatly appreciated.

Instance specs:
HOST: Win2k16
Splunk Enterprise V7.2.5.1
Build: 962d9a8e1586
Search & Reporting V7.2.5.1

regards
Sebastiano

ashutoshab · ‎04-09-2019

As a best practice to avoid computing overhead, by default all indexes are not searched. If you want the index 'syslogservers' to be searched by default you may go to Settings>> Access Controls >> Roles >> 'Select your Role' >> Indexes searched by default
Here you select the index 'syslogservers' to be searched by default. This will make it searchable by default.

Searching all the indexes by default is not a Splunk best practice, instead, always force the user to mention the name of the index for in the search. Searching many indexes by default, impacts performance.

View solution in original post

ashutoshab · ‎04-09-2019

As a best practice to avoid computing overhead, by default all indexes are not searched. If you want the index 'syslogservers' to be searched by default you may go to Settings>> Access Controls >> Roles >> 'Select your Role' >> Indexes searched by default
Here you select the index 'syslogservers' to be searched by default. This will make it searchable by default.

Searching all the indexes by default is not a Splunk best practice, instead, always force the user to mention the name of the index for in the search. Searching many indexes by default, impacts performance.

salighie · ‎04-09-2019

That's what i was looking for.

thanks.

ashutoshab · ‎04-09-2019

Welcome.

Thanks for selecting as solution.

Happy Splunking!

sduff_splunk · ‎04-08-2019

index=main OR index=syslogservers will search multiple indexes. index=* will search all the indexes you have permissions to search.

The default index that a user searches is configured as part of their user account and role. Best practice is that you specify the index that contains the data you are after, rather than use index=*

salighie · ‎04-09-2019

got it.

i am logged in as admin and assumed that it would search all indexes by default.

but, after reviewing authorize.conf, i see that its role only searches main;os by default.

ok, i get it now

thanks

salighie · ‎04-09-2019

Sorry Sduff - i wanted to award you some points but the system says i don't have enough Karma.

i appreciate your response. Ultimately, I felt that ashutoshab provided a more complete answer.

Searching and reporting against custom indexes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation