Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Retrieve events from indexes

You have always been able to create new indexes and manage where you want to store your data. Additionally, when you have data split across different indexes, you can search multiple indexes at once, using the index field.

Specify one or multiple indexes to search

The Splunk administrator can set the default indexes that a user searches. Based on the roles and permissions, the user might have access to one or many indexes. For example the user might be able to only search main or all public indexes. The user can then specify a subset of these indexes, either an individual index or multiple indexes, to search. For more information about setting up users and roles, see "About users and roles" in Securing Splunk Enterprise.

For more information about managing your indexes and setting up multiple indexes, see the "About managing indexes" in the Managing Indexers and Clusters manual.

Control index access using Splunk Web

1. Navigate to Settings > Roles.

2. Click the role that the User has been assigned to.

3. Click on "3. Indexes".

4. Control the indexes that particular role has access to, as well as the default search indexes.


You can specify different indexes to search in the same way that you specify field names and values. In this case, the field name is index and the field value is the name of a particular index:


You can use the * wildcard to specify groups of indexes; for example, if you wanted to search both "mail" and "main" indexes, you can search for:


You can also use parentheses to partition different searches to certain indexes. See Example 3 for details.

Note: When you type "index=" into the search bar, typeahead indicates all the indexes that you can search, based on your roles and permissions settings.


Example 1: Search across all public indexes.


Example 2: Search across all indexes, public and internal.

index=* OR index=_*

Example 3: Partition different searches to different indexes; in this example, you're searching three different indexes: main, _internal, and mail. You want to see events that match "error" in all three indexes; but also, errors that match "warn" in main or "failed" in mail.

(index=main (error OR warn)) OR (index=_internal error) OR (index=mail (error OR failed))

Example 4: Search across multiple indexes on different distributed Splunk servers.

(splunk_server=local index=main 404 ip= OR (splunk_server=remote index=mail user=admin)

Not finding the events you're looking for?

When you add an input, the input gets added relative to the app you're in. Some apps write input data to their own specific index (for example, the Splunk App for Unix and Linux uses the 'os' index).

Last modified on 06 June, 2020
Event sampling
Search across one or more distributed search peers

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.8, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 7.0.7, 7.0.9, 7.1.1, 7.1.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters