Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Use a test index to test your inputs

Before adding new inputs to your production index, it is best to test them out. Add the inputs to a test index. Once you've verified that you're receiving the right data inputs and that the resulting events are in a usable form, you can point the inputs to your default "main" index. You can continue to test new inputs this way over time.

If you find that the inputs you started with are not the ones you want, or that the indexed events don't appear the way you need them to, you can keep working with the test index until you get results you like. When things start looking good, you can edit the inputs to point to your main index instead.

You can preview how Splunk software will index your data into a test index. During preview, you can adjust some event processing settings interactively. See "The "Set Sourcetype" page" for details.

Use a test index

To learn how to create and use custom indexes, read "Create custom indexes" in the Managing Indexers and Clusters manual. There are a few basic steps, described in detail in that topic:

1. Create the test index, using Splunk Web, or, if you have Splunk Enterprise, using the CLI or by editing indexes.conf directly. See "Create custom indexes" for details.

2. When configuring the data inputs, route events to the test index. You can usually do this in Splunk Web. For each input:

a. When configuring the input from the Add data page, check the More settings option. It reveals several new fields, including one called Index.

b. In the Index dropdown box, select your test index. All events for that data input will now go to that index.

c. Repeat this process for each data input that you want to send to your test index.

You can also specify an index when configuring an input in inputs.conf, as described here.

3. When you search, specify the test index in your search command. (By default, Splunk software searches the "main" index.) Use the index= command:

index=test_index

Note : When searching a test index for events coming in from your newly created input, use the Real-time > All time(real-time) time range for the fields sidebar. The resulting real-time search will show all events being written to that index regardless of the value of their extracted time stamp. This is particularly useful if you are indexing historical data into your index that a search for "Last hour" or "Real-time > 30 minute window" would not show.

Delete indexed data and start over

If you want to clean out your test index and start over again, use the CLI clean command, described here.

Point your inputs at the default index

Once you're satisfied with the results and are ready to start indexing for real, you'll want to edit your data inputs so that they point to the default, "main" index, instead of the test index. This is a simple process, just the reverse of the steps you took to use the test index in the first place. For each data input that you've already set up:

1. Go back to the place where you initially configured the input. For example, if you configured the input from the Add data page in Splunk Web, return to the configuration screen for that input:

a. Select System > System configurations > Data inputs.

b. Select the input's data type to see a list of all configured inputs of that type.

c. Select the specific data input that you want to edit. This will take you to a screen where you can edit it.

d. Select the Display advanced settings option. Go to the field named Index.

e. In the Index dropdown box, select the main index. All events for that data input will now go to that index.

If you instead used inputs.conf to configure an input, you can change the index directly in that file, as described here.

2. Now when you search, you no longer need to specify an index in your search command. By default, Splunk software searches the "main" index.

PREVIOUS
Set search-time event segmentation in Splunk Web
  NEXT
Use persistent queues to help prevent data loss

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.4, 7.1.3, 7.1.5, 7.2.0, 7.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters