All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cannot select custom app for new index

mwcentracomm
Explorer
‎01-31-2022 05:21 AM

I added a new index to my enterprise server, but on the indexer I cannot add it because it will not allow me to select the custom app.

Labels (1)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎01-31-2022 05:26 AM

Can you give more details about this issue you're facing?
How is your splunk infra design? is it standalone or distributed? 
If its distributed how are you deploying the configurations? Using deployment server?
What are you trying to accomplish?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

mwcentracomm
Explorer
‎01-31-2022 05:41 AM

I am new to this environment, so distributed I believe.  There is a heavy forwarder, two search heads, an indexer, a server listed as console (which is the server we logon for searches) and another server of which I do not know what it does (simply named DDMD).

I have added new indexes and inputs on the main server, but they are showing no events.

I have read I also need to add the indexes to the indexer, when trying to do this, I cannot select the same custom app for indexes that all the others on that server are using.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-31-2022 05:54 AM

Hi

here https://docs.splunk.com/Documentation/Splunk/8.2.4/InheritedDeployment/Introduction is excellent guide to get familiar with your environment. Based on it, you should get clear understand what you have.

If/when you have a distributed environment there are (as you told) several servers with different roles like search head, indexer(s),  manager node (if there is indexer cluster), heavy forwarders, UF and maybe DS (deployment server), LM (license manager, could be some other server as additional role) and MC (monitoring console). If you have monitor console on place you can use it as getting topology of your environment.

When there are separate search head (where you normally log with GUI) and indexer(s) and/or MN then you must add index definitions to indexer peers or if you have indexer cluster then into manager node and then deploy those to peers.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...