By Splunk July 29, 2009
If you are comfortable editing XML, here’s a handy hack to get the list of your default indexes in the “All indexed data” dashboard. It will show whatever the logged-in user has access to.
If you are using the standard dashboards from the Search app, do this:
Go to $SPLUNK_HOME/etc/apps/search/default/data/ui/views
Copy dashboard.xml to $SPLUNK_HOME/etc/apps/search/local/data/ui/views
Change the permissions on the file so you can edit it
Right before the last </view> tag at the end insert this XML:
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp4" group="All
indexed data" autoRun="True">
<param name="search">| eventcount summarize=false index=* -count</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Indexes (%(count)s)</param>
<module name="Paginator">
<param name="count">20</param>
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="LinkList">
<param name="initialSortDir">desc</param>
<param name="labelFieldSearch">*</param>
<param name="valueField">count</param>
<param name="labelField">index</param>
<param name="labelFieldTarget">flashtimeline</param>
<param name="initialSort">count</param>
</module>
</module>
</module>
</module>
Save the file.
Back in the UI, click the Splunk logo to refresh the search app.
Presto! Now there is a new column showing indexes. If something didn’t work right, just remove the file you created. This file won’t be overwritten on upgrade, so if in the future there is a change to the search app you will still have this version because files in local take precedence.