Splunk Search

What are the two ways to list indexes available in splunk search head ?

Hemnaath
Motivator

Hi All,

I had two question's on splunk.

1) How to list the indexes details available in splunk search heads?
2) What is streaming and non-streaming commands and how are they executed (in which scenario's it is used)

thanks in advance.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are these exam questions?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Hemnaath
Motivator

Hi richgalloway, Its an interview question, which I was unable to answer it, so could guide me on the proper answer to this question.

thanks.

0 Karma

Hemnaath
Motivator

Hi Guys can any one update me on this ?

Regarding streaming and non-streaming commands, got the below detail on how the commands are executed.

Streaming commands - operates on each event as it is returned by a search. Think of applying "function/transformation" to each event and then writing out the result of that operation. An example of such a command might be a command that adds a field to each event.

Non-streaming commands - Expects to have all the data before it operates on it. An example of a non-streaming command is the stats command, which will collect all the data before it can calculate the statistics.

Similarly for the below question let me know whether answer to the question is correct or not!
1) How to list the indexes details available in splunk search heads?

We can the indexes configured in splunk searched by login into splunk web portal --> settings --> indexes.
By executing the splunk btool command from the search head instances to find the list of indexes available in splunk search head.

./splunk btool indexes list --debug | less

0 Karma

rvany
Communicator

Your splunk btool indexes list --debug just reflects what is in your indexes.conf files. This could fit the active indexes, but only after a restart of Splunk after changes to any your indexes.conf files.

0 Karma

somesoni2
Revered Legend

You can also use REST API endpoints (with | rest command) to know indexes created.
http://docs.splunk.com/Documentation/Splunk/6.2.6/RESTREF/RESTintrospect#data.2Findexes

| rest /services/data/indexes splunk_server=local
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...