Once data is indexed in Splunk, it will not be changed. So if you want all the old events to go to the new indexes, you will need to remove the data from the indexes, and then reload it. Here are the steps: Stop the Splunk indexer Stop the Forwarder Remove the fishbucket directory on the forwarder Clean the Splunk indexes Start the indexer Start the forwarder You can do things in a different order, if you are careful. The Summary view only shows data from the indexes that the user is allowed to see by default. When you create new indexes, you should update the roles. For each role that should have access to the index, you need to add the index to the available indexes (unless the role has access to "all non-internal indexes"). If you also add the new index to the indexes that are searched by default, then the user will see the data from that index (sourcetypes and hosts) in the Summary view. The reason that you have to enter index=xyz is because the index is not searched by default for your role. ... View more

For the few Windows servers I am collecting data, none of it is from the Windows logs; only the application that runs on these servers. However, the UF gets its instructions from what to monitor from inputs.conf, so there is one defined on your server -- perhaps as a result of the MSI install process -- that has set this up. In that file is a line that reads "index={INDEX_NAME}". The file you want for your purpose is likely in the etc/system/local directory on the server with the UF installed. Check that out, it probably says "index=main" or "index=default" and you can edit that to read "index=dc_logs". Naturally, the UF will need restarted after this change is saved. ... View more