https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488597#M83607 <P>You don't need to reboot splunk for index additions.</P> <P>You just need to update indexes.conf and then hit the debug refresh endpoint for indexes or for everything if you prefer.</P> Fri, 17 Jan 2020 17:45:00 GMT jkat54 2020-01-17T17:45:00Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488596#M83606 <P>I am using something pretty similar to this in my transforms.conf to dynamically put events in the desired indexes.</P> <P><A href="https://answers.splunk.com/answers/150266/dynamic-index-assignment-based-on-event-or-log-prefix.html">https://answers.splunk.com/answers/150266/dynamic-index-assignment-based-on-event-or-log-prefix.html</A></P> <P>There are situations where the index doesnt' quite exist yet. When that happens the file sink-holes into the ether, not to be ingested, nor kept in the original directory.</P> <P>I'm looking to write some code to get in front of it, and </P> <UL> <LI>watch the directories</LI> <LI><STRONG>ensure the appropriate index exists</STRONG> </LI> <LI>then drop the file in the Splunk-watched directory (or maybe use the api/cli to directly ingest the file in Splunk to the correct index).</LI> </UL> <P>This is not a clustered Splunk, though if required, it is possible. (I came across this question <A href="https://answers.splunk.com/answers/387133/how-to-create-index-using-rest-api-in-a-clustered.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev">https://answers.splunk.com/answers/387133/how-to-create-index-using-rest-api-in-a-clustered.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev</A>)</P> <P>My concern is that the solution is pointing to something like editing the indexes.conf file and rebooting splunk through the command line. Is this possible via REST API? I would also prefer not to have to reboot and kick the users off. What does the Splunk UI use to do it?</P> Fri, 17 Jan 2020 15:44:40 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488596#M83606 hiddenkirby 2020-01-17T15:44:40Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488597#M83607 <P>You don't need to reboot splunk for index additions.</P> <P>You just need to update indexes.conf and then hit the debug refresh endpoint for indexes or for everything if you prefer.</P> Fri, 17 Jan 2020 17:45:00 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488597#M83607 jkat54 2020-01-17T17:45:00Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488598#M83608 <P>Something like a post to <A href="http://splunkserver:8000/en-US/debug/refresh?entity=indexes">http://splunkserver:8000/en-US/debug/refresh?entity=indexes</A> should work</P> Fri, 17 Jan 2020 17:46:45 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488598#M83608 jkat54 2020-01-17T17:46:45Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488599#M83609 <P>This is helpful, thank you. Is that what the UI does when you create an index?</P> Fri, 17 Jan 2020 19:18:37 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488599#M83609 hiddenkirby 2020-01-17T19:18:37Z https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488600#M83610 <P>Yes or something very similar. </P> <P>You could install something like Teleriks Fiddler on your device and see exactly what posts/gets are made when you click on buttons in the UI.</P> Fri, 17 Jan 2020 20:37:20 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-create-a-new-index-using-the-REST-API/m-p/488600#M83610 jkat54 2020-01-17T20:37:20Z