Specify one or multiple indexes to search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Specify one or multiple indexes to search
You have always been able to create new indexes and manage where you want to store your data. Now, when you have data split across different indexes, you're no longer limited to searching one index at a time — you can search across multiple indexes at once!
The Splunk administrator can set the default indexes that a user searches. Based on the user's roles and permissions, he may have access to one or many indexes; for example the user may only be able to search main or all public indexes. The user can then specify a subset of these indexes, either an individual index or multiple indexes, to search. For more information about setting up users and roles, see the "About users and roles" chapter in the Admin manual.
For more information about managing your indexes and setting up multiple indexes, see the "About managing indexes" chapter in the Admin manual.
Control index access via Splunk Web
Go into the Splunk Manager screen (click on 'Manager' in the top right corner), then click on 'Roles'. Select the role that the User has been assigned to and then on the bottom of the next screen you'll find the index controls. You can control the indexes that particular role has access to, as well as the default search indexes.
Syntax
You can specify different indexes to search in the same way that you specify field names and values. In this case, the field name is index and the field value is the name of a particular index:
index=<indexname>index=mai*You can also use parentheses to partition different searches to certain indexes. See Example 3 for details.
Note: When you type "index=" into the search bar, typeahead indicates all the indexes that you can search, based on your roles and permissions settings.
Examples
Example 1: Search across all public indexes.
index=*Example 2: Search across all indexes, public and internal.
index=* OR index=_*Example 3: Partition different searches to different indexes; in this example, you're searching three different indexes: main, _internal, and mail. You want to see events that match "error" in all three indexes; but also, errors that match "warn" in main or "failed" in mail.
(index=main (error OR warn)) OR (index=_internal error) OR (index=mail (error OR failed))Example 4: Search across multiple indexes on different distributed Splunk servers.
(splunk-server=local index=main 404 ip=10.0.0.0/16) OR (splunk-server=remote index=mail user=admin)Not finding the events you're looking for?
When you add an input to Splunk, that input gets added relative to the app you're in. Some apps, like the *nix and Windows apps that ship with Splunk, write input data to a specific index (in the case of *Nix and Windows, that is the 'os' index).
If you're not finding data that you're certain is in Splunk, be sure that you're looking at the right index. You may want to add the 'os' index to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in this manual.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.