https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284773#M54396 <P>I haven't seen an option like that. The cluster master does have some REST endpoints for reading index data, but they are all GET methods.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes.2F.7Bname.7D">http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes.2F.7Bname.7D</A></P> <P>You can individually create the index on each indexer via an API call, but that's probably risky given that the index configurations between all of servers need to match exactly. I've also had limited success creating the index on a host via API without having to restart the indexer. </P> <P>You're probably stuck with managing an indexes.conf file on your cluster master and building your automation around that.</P> Tue, 09 Feb 2016 19:32:51 GMT Jeremiah 2016-02-09T19:32:51Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284771#M54394 <P>Hi,</P> <P>Is there a way to automate the creation (and parameters) of new indexes through REST (hopefully pushed through the Cluster Manager)?</P> Tue, 09 Feb 2016 18:53:42 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284771#M54394 a212830 2016-02-09T18:53:42Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284772#M54395 <P>Yes, take a look at: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTconf">http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTconf</A></P> Tue, 09 Feb 2016 19:31:36 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284772#M54395 masonmorales 2016-02-09T19:31:36Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284773#M54396 <P>I haven't seen an option like that. The cluster master does have some REST endpoints for reading index data, but they are all GET methods.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes.2F.7Bname.7D">http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes.2F.7Bname.7D</A></P> <P>You can individually create the index on each indexer via an API call, but that's probably risky given that the index configurations between all of servers need to match exactly. I've also had limited success creating the index on a host via API without having to restart the indexer. </P> <P>You're probably stuck with managing an indexes.conf file on your cluster master and building your automation around that.</P> Tue, 09 Feb 2016 19:32:51 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284773#M54396 Jeremiah 2016-02-09T19:32:51Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284774#M54397 <P>This would work to create an index in a cluster? Would you have to push the change to each peer or is there an endpoint here that lets you push a change to the cluster master that is then distributed to the indexers?</P> Tue, 09 Feb 2016 19:55:34 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284774#M54397 Jeremiah 2016-02-09T19:55:34Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284775#M54398 <P>I'm not sure if there is a way to do that directly on the master node, but you could probably use it to update the indexes.conf file on the master node (will likely be under $SPLUNK_HOME/etc/system/local/indexes.conf), then have a CRON job on the master node that periodically copies that indexes.conf file that you created through the REST API to <CODE>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf</CODE>. Take a look at: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Updatepeerconfigurations" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Updatepeerconfigurations</A></P> Tue, 29 Sep 2020 08:47:08 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284775#M54398 masonmorales 2020-09-29T08:47:08Z https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284776#M54399 <P>I'm not sure POST is supported, but I'd guess <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes">http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Findexes</A> for updating the master nodes index config.</P> <P>If not, then maybe you can just use <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTconf">http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTconf</A> to do the same for generic config updates.</P> <P>Then there might be an endpoint for pushing out the updated config. Not sure if this is it: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Fgeneration">http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTcluster#cluster.2Fmaster.2Fgeneration</A><BR /> If not, then the cron approach might work.</P> Fri, 12 Feb 2016 22:38:11 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-a-REST-call-to-create-an-index-dynamically/m-p/284776#M54399 sloshburch 2016-02-12T22:38:11Z