Retrieve events from indexes and distributed search peers
You have always been able to create new indexes, add more search peers, and manage where you want to store your data. Additionally, when you have data split across different indexes and distributed search peers, you're not limited to searching one index or server at a time. You can search across multiple indexes and servers at once, using the
splunk_server fields, respectively.
Specify one or multiple indexes to search
The Splunk administrator can set the default indexes that a user searches. Based on the user's roles and permissions, he may have access to one or many indexes; for example the user may only be able to search main or all public indexes. The user can then specify a subset of these indexes, either an individual index or multiple indexes, to search. For more information about setting up users and roles, see the "About users and roles" chapter in Securing Splunk.
For more information about managing your indexes and setting up multiple indexes, see the "About managing indexes" chapter in the Managing Indexers and Clusters manual.
Control index access using Splunk Web
Navigate to Settings > Access controls > Roles. Select the role that the User has been assigned to and then on the bottom of the next screen you'll find the index controls. You can control the indexes that particular role has access to, as well as the default search indexes.
You can specify different indexes to search in the same way that you specify field names and values. In this case, the field name is
index and the field value is the name of a particular index:
You can use the * wildcard to specify groups of indexes; for example, if you wanted to search both "mail" and "main" indexes, you can search for:
You can also use parentheses to partition different searches to certain indexes. See Example 3 for details.
Note: When you type "index=" into the search bar, typeahead indicates all the indexes that you can search, based on your roles and permissions settings.
Example 1: Search across all public indexes.
Example 2: Search across all indexes, public and internal.
index=* OR index=_*
Example 3: Partition different searches to different indexes; in this example, you're searching three different indexes: main, _internal, and mail. You want to see events that match "error" in all three indexes; but also, errors that match "warn" in main or "failed" in mail.
(index=main (error OR warn)) OR (index=_internal error) OR (index=mail (error OR failed))
Example 4: Search across multiple indexes on different distributed Splunk servers.
(splunk_server=local index=main 404 ip=10.0.0.0/16) OR (splunk_server=remote index=mail user=admin)
Search across one or more distributed search peers
When performing a distributed search from a search head, you can restrict your searches to specific search peers (also known as "indexer nodes") by default and in your saved and scheduled searches. The names of your Splunk search peers are saved as values in the "splunk_server" field. For more information about distributed search, see "About distributed search" in the Distributed Search manual.
If no search peer is specified, your search accesses all search peers you have permission to access. The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk.
The ability to restrict your searches to specific peers can be useful when there is high latency to certain search peers and you do not want to search them by default. When you specify one or more peers, those are the only servers that are included in the search.
You can specify different peers to search in the same way that you specify other field names and values. In this case, the field name is "splunk_server" and the field value is the name of a particular distributed peer:
Note: You can use the value "local" to refer to the Splunk instance that you are searching from; in other words, the search head itself.
Keep in mind that field names are case sensitive; Splunk will not recognize a field name if the case doesn't match.
Example 1: Return results from specified search peers.
error (splunk_server=NYsplunk OR splunk_server=CAsplunk) NOT splunk_server=TXsplunk
Example 2: Search different indexes on distributed search peers "foo" or "bar".
(splunk_server=foo index=main 404 ip=10.0.0.0/16) OR (splunk_server=bar index=mail user=admin)
Not finding the events you're looking for?
When you add an input to Splunk, that input gets added relative to the app you're in. Some apps write input data to their own specific index (for example, the Splunk App for Unix and Linux uses the 'os' index).
If you're not finding data that you're certain is in Splunk, be sure that you're looking at the right index. You might need to add an app-specific index to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in Securing Splunk.
Use fields to retrieve events
Classify and group similar events
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14