I would like to request a modification to use an index macro
Using an index macro is a standard, best practice for Splunk applications. Currently, when a dashboards loads you are searching every index that is searched by default.
That can have two issues:
It searches entirely too much data in large deployments -- we bring in over 2TB/day of data besides mhn and your searches are searching all of it even though mhn data will be limited to one index
It can miss the data. If the data the mhn data is coming into is not listed in the users indexes to search by default, the dashboards will not populate even if the user has access to the data
While you can't make everything automagically work out of the box for all deployments, by using an index macro, a Splunk administrator has one thing he/she needs to edit in order to make the dashboards work / apply a potentially large optimization
I would like to request a modification to use an index macro
Using an index macro is a standard, best practice for Splunk applications. Currently, when a dashboards loads you are searching every index that is searched by default.
That can have two issues:
While you can't make everything automagically work out of the box for all deployments, by using an index macro, a Splunk administrator has one thing he/she needs to edit in order to make the dashboards work / apply a potentially large optimization