Default Search Macro

By default the ElastiFlow App for Splunk comes with a predefined default_index search macro. You can view the default index search macro by going to: Settings -> Advanced search -> "Search macros"

The default_index search macro defaults to index="elastiflow*". This search macro will automatically update the index=name for each visualization. You can view any search in by clicking the magnifying glass next to a visualization. As you can see below this search references the default_index search macro.

For more information about search macros please visit: https://docs.splunk.com/Documentation/PCI/5.0.1/User/Searchmacros