Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

index syntax question

trojan_81
Path Finder
‎11-27-2019 06:59 PM

Within Splunk cloud 7.2.6 - If I run a search without specifying index or sourcetype it will search the main index by default. Where can I find out what the main index consist of?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 09:05 AM

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-28-2019 11:56 AM

To see what is in main, you can run search like this:

index=main earliest=-7d latest=now | fieldsummary

As far as why it searches main, that is completely dependent on what your local Splunk admin set for the roles that your user has. The setting is called Indexes Searched by Default and whenever I am admin, I ALWAYS set all of these to <NULL>. It is VERY bad practices to write searches without specifying index because the behavior can change AT ANY TIME.

0 Karma
Reply
Solved! Jump to solution

Arpit_S
Path Finder
‎11-28-2019 10:05 AM

@trojan_81 , if you don't specify the index name splunk will search for the specified search or keyword across the list default indexes specified in the role assigned to the user you are logged in as.

That\those index(es) might include main index or not.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 09:05 AM

Hi @trojan_81,
there's a list of indexes used by default by searches when an index isn't defined, by default in this list there's only main index.
For this reason, is always a best practice to insert in a search always the indication about the index to search.
If anyway you want to intervene on search default path, you can find it in User's roles [Settings -- Users and Authentication -- Roles -- Choose one -- Indexes], there's a flag column.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎11-28-2019 06:10 AM

Do you mean what hosts, source, sourcetypes are sending data to the main index?
You can use the metadata command for that. On the Splunk search bar enter:
|metadata type=hosts index=main
You can also change hosts for sourcetypes or sources

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...