All Apps and Add-ons

Cannot select custom app for new index

mwcentracomm
Explorer

I added a new index to my enterprise server, but on the indexer I cannot add it because it will not allow me to select the custom app.

Labels (1)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

Can you give more details about this issue you're facing?
How is your splunk infra design? is it standalone or distributed? 
If its distributed how are you deploying the configurations? Using deployment server?
What are you trying to accomplish?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

mwcentracomm
Explorer

I am new to this environment, so distributed I believe.  There is a heavy forwarder, two search heads, an indexer, a server listed as console (which is the server we logon for searches) and another server of which I do not know what it does (simply named DDMD).

I have added new indexes and inputs on the main server, but they are showing no events.

I have read I also need to add the indexes to the indexer, when trying to do this, I cannot select the same custom app for indexes that all the others on that server are using.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here https://docs.splunk.com/Documentation/Splunk/8.2.4/InheritedDeployment/Introduction is excellent guide to get familiar with your environment. Based on it, you should get clear understand what you have.

If/when you have a distributed environment there are (as you told) several servers with different roles like search head, indexer(s),  manager node (if there is indexer cluster), heavy forwarders, UF and maybe DS (deployment server), LM (license manager, could be some other server as additional role) and MC (monitoring console). If you have monitor console on place you can use it as getting topology of your environment.

When there are separate search head (where you normally log with GUI) and indexer(s) and/or MN then you must add index definitions to indexer peers or if you have indexer cluster then into manager node and then deploy those to peers.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...