All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Add-on for Microsoft Active Directory recreates indices after deleting them, how to get rid?

swasserroth
Path Finder
‎10-25-2018 08:07 AM

Hello *,

while refreshing our Splunk installation we reinstalled the various TAs and Apps. Currently we are working on the "Splunk App for Windows Infrastructure" (version 5.0.1). This requires "Splunk Add-on for Microsoft Active Directory" (still at 1.0.0).

This leads to inconsistencies: The AD addon defines the various "old" indices (msad, perfmon, wineventlog etc.), but the new "App for Windows" does not depend on this structure anymore. Thus I wanted to gather all windows data in a single index named "windowsindex", which basically works by defining this index in all inputs.conf files inside the [default] stanza.

Now the complicated part: I can delete the "old" and now unused indices like "msad" successfully, no problem here. BUT: after Splunk restart this index is recreated again, probably because it is defined in the inputs.conf in the "/default"-tree of the AD addon. Otherwise editing the files in the /default-directories is kind of forbidden...

So how can I get rid of indices defined inside the /default-directory of an app or addon??

Alternative solution (for this case): Upgrade the AD addon to be in sync with the new structure of the Splunk Windows App (hint, hint).

Any ideas for a work around?

Thanks and best regards,
Stephan

0 Karma
Reply

swasserroth
Path Finder
‎10-25-2018 11:28 PM

OK, answering my own question...

The analysis seems to be correct: if an index is defined in an indexes.conf file, which is contained in a .../default-directory, then this indexes will get recreated after a restart of Splunk! Even if this index was deleted completely. It will get the "deleted = true" flag, in the indexes.conf file residing in the .../local-directory.

Thus you have to comment out the stanza for the index to be deleted in the /default/indexes.conf and to add the contexts to the /local/indexes.conf, THEN the index will get deleted completly during restart and it will NOT be recreated. Weird logic... and an exeception to the rule of not editing .conf-files inside a /default-directory...

Have fun,
Stephan

0 Karma
Reply

swasserroth
Path Finder
‎10-25-2018 08:16 AM

More observations (tested with the index "msad") after a few restarts: Index is still there and the indexes.conf in the /local-directory always shows this

[msad]
deleted = true
disabled = true

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...