Use a test index to test your inputs
Before adding new inputs to your production index, it is best to test them out. Add the inputs to a test index. Once you've verified that you're receiving the right data inputs and that the resulting events are in a usable form, you can point the inputs to your default "main" index. You can continue to test new inputs this way over time.
If you find that the inputs you started with are not the ones you want, or that the indexed events aren't appearing the way you need them to, you can keep working with the test index until you're happy with the results. When things start looking good, you can edit the inputs to point to your main index instead.
Note: You can use a test index in concert with the Splunk Web data preview feature. Data preview allows you to see how Splunk Enterprise will index the data in a file before it actually writes the data to an index. You can also use it to adjust some event processing settings interactively. See "Overview of data preview" for details.
Use a test index
To learn how to create and use custom indexes, read "Set up multiple indexes" in the Managing Indexers and Clusters manual. There are a few basic steps, described in detail in that topic:
1. Create the test index, using Splunk Web or the CLI or by editing
indexes.conf directly. See "Set up multiple indexes" for details.
2. When configuring the data inputs, route events to the test index. You can usually do this in Splunk Web. For each input:
a. When configuring the input from the Add data page, check the More settings option. It reveals several new fields, including one called Index.
b. In the Index dropdown box, select your test index. All events for that data input will now go to that index.
c. Repeat this process for each data input that you want to send to your test index.
You can also specify an index when configuring an input in
inputs.conf, as described here.
3. When you search, specify the test index in your search command. (By default, Splunk Enterprise searches on the "main" index.) Use the
Note : When searching a test index for events coming in from your newly created input, Splunk recommends that you use the Real-time > All time(real-time) time range for the fields sidebar. The resulting real-time search will show all events being written to that index regardless of the value of their extracted time stamp. This is particularly useful if you are indexing historical data into your index that a search for "Last hour" or "Real-time > 30 minute window" would not show.
Delete indexed data and start over
If you want to clean out your test index and start over again, use the CLI
clean command, described here.
Point your inputs at the default index
Once you're satisfied with the results and are ready to start indexing for real, you'll want to edit your data inputs so that they point to the default, "main" index, instead of the test index. This is a simple process, just the reverse of the steps you took to use the test index in the first place. For each data input that you've already set up:
1. Go back to the place where you initially configured the input. For example, if you configured the input from the Add data page in Splunk Web, return to the configuration screen for that input:
a. Select System > System configurations > Data inputs.
b. Select the input's data type to see a list of all configured inputs of that type.
c. Select the specific data input that you want to edit. This will take you to a screen where you can edit it.
d. Select the Display advanced settings option. Go to the field named Index.
e. In the Index dropdown box, select the main index. All events for that data input will now go to that index.
If you instead used
inputs.conf to configure an input, you can change the index directly in that file, as described here.
2. Now when you search, you no longer need to specify an index in your search command. By default, Splunk Enterprise searches on the "main" index.
Data preview and distributed Splunk Enterprise
Use persistent queues to help prevent data loss
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14