All Apps and Add-ons

How to create a new index in index cluster (6.2.2)

sim_tcr
Communicator

Hello,

We are trying to setup a new splunk environment with search head pooling and index clustering with index replication using 6.2.2.
We have 4 search heads which are clustered, a deployment server, 4 indexers which are clustered using a master server.

Now, I want to create a new index named test which needs to be replicated across the indexers.

I read Configure the peer indexes in an indexer cluster. But I am not clear whether the index should be created manually using GUI or putting an entry in the indexes.conf and distributing it as a configuration bundle using master will create the index on all peer indexers.

Can some one explain please?

Thanks,
Simon Mandy

Tags (2)
1 Solution

dart
Splunk Employee
Splunk Employee

You should configure any new indexes by putting an entry in an indexes.conf on the cluster master, then push out the configuration bundle.

The cluster master will have an app under $SPLUNK_HOME/etc/master-apps/_cluster and you can add a new indexes.conf under the local folder there. Then you can distribute the configuration bundle.

View solution in original post

sim_tcr
Communicator

Thank you for replying Dart. Based on your reply i did following,

On the master at /Splunk/splunk/etc/master-apps/_cluster I created a folder called local and the created an indexes.conf with below entries.

[test]
repFactor=auto
homePath=/Splunk/indexes/test/db/
coldPath=/Splunk/indexes/test/colddb/
thawedPath=/Splunk/indexes/test/thaweddb/

Then in master, I went to settings->Indexer Clustering-Edit->Distribute Configuration Bundle->I clicked Distribute Configuration Bundle.
I saw the file being deployed and then after couple of minutes saw successful message.
I went to indexers and checked I saw that test index is created on all indexers.

Questions:
Now if i want to add a new index called test1 should test entries remain there in master /Splunk/splunk/etc/master-apps/_cluster/local/indexes.conf ?
I saw that while the file was being pushed the splunk on indexers got bounced. Is that normal?
When i go to Indexer Clustering: Master Node on master I am not seeing these new index I created under Indexes tab. Does that mean they are not searchable yet. There are no events on those index yet.

Thanks,
Simon Mandy

sim_tcr
Communicator

here are the answers to my questions.
Now if i want to add a new index called test1 should test entries remain there in master /Splunk/splunk/etc/master-apps/_cluster/local/indexes.conf ?
Yes
I saw that while the file was being pushed the splunk on indexers got bounced. Is that normal?
Yes. Bouncing will happen on one indexer after other. So there is no real outage to splunk.
When i go to Indexer Clustering: Master Node on master I am not seeing these new index I created under Indexes tab. Does that mean they are not searchable yet. There are no events on those index yet.
Once data started flowing in to the index, it becomes available under the index tab.

0 Karma

dart
Splunk Employee
Splunk Employee

You should configure any new indexes by putting an entry in an indexes.conf on the cluster master, then push out the configuration bundle.

The cluster master will have an app under $SPLUNK_HOME/etc/master-apps/_cluster and you can add a new indexes.conf under the local folder there. Then you can distribute the configuration bundle.

View solution in original post

satishsdange
Builder

Don't we configure all indexes on a SH? Then deployer will maintain that config across other remaining SH?

0 Karma

dart
Splunk Employee
Splunk Employee

If you want the indexes on your clustered indexers, you use the cluster master

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!