how to search in default indexes (not only one) in...

zugji · ‎04-13-2017

Hello folks

There is a way to configure which indexes belongs which splunk app. Is there also a way to configure in app to tell splunk per default which indexes to search through.
Let's say I have three indexes called: ix1, ix2, ix3

If I go to the searchbar of this app I would like that splunk is adding a base search: index=ix1 OR index=ix2 OR index=ix3 <rest_of_the_search_provided_by_the_user> that I don't have to enter everytime all indexes.

Thanks for your advise.

yannK · ‎04-13-2017

Short answer : No.
The index access is controlled by the roles, not by the apps.

You can use a macros specific to the app to prefill your base search, but you will have to find a way to call that macro.
You may want to piggy back on this question for way to script that :
https://answers.splunk.com/answers/521009/in-a-custom-app-dashboard-is-it-possible-to-have-a.html

gcusello · ‎04-14-2017

I usually create an eventtype with all indexes and I use it in every search, so in this way I can add or delete an index from my search without modifying all dashboards.
Bye.
Giuseppe

how to search in default indexes (not only one) in one app without providing the index.

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!