I am using splunk to search for company's log.
I am wondering, why do I need to add "index=" in the query, e.g. env=dev index=
Without "index=*", no data will be returned.
Why do we need it? and what does it mean?
I am confused, because each term should be a limiting factor, e.g. add one more filtering term index=*, it should reduce the returned data set.
Janet, The Splunk app you're running that search has a configurable list of default indexes it runs the searches against, as an eg the default Search App runs against all non Splunk internal indexes (the ones starting with an _)
This is for a good reason, this way Splunk avoids having to check for your keywords terms over all indexes, computing your SPL quicker
If your team keeps having to specify the indexes in the majority of your searches this would justify your Splunk admin to create a separate Splunk app for your team/App owners
PS: Best to ask next Splunk searches on the official forum, Splunk Answers