All Apps and Add-ons

How to create a new index in index cluster (6.2.2)

sim_tcr
Communicator

Hello,

We are trying to setup a new splunk environment with search head pooling and index clustering with index replication using 6.2.2.
We have 4 search heads which are clustered, a deployment server, 4 indexers which are clustered using a master server.

Now, I want to create a new index named test which needs to be replicated across the indexers.

I read Configure the peer indexes in an indexer cluster. But I am not clear whether the index should be created manually using GUI or putting an entry in the indexes.conf and distributing it as a configuration bundle using master will create the index on all peer indexers.

Can some one explain please?

Thanks,
Simon Mandy

Tags (2)
1 Solution

dart
Splunk Employee
Splunk Employee

You should configure any new indexes by putting an entry in an indexes.conf on the cluster master, then push out the configuration bundle.

The cluster master will have an app under $SPLUNK_HOME/etc/master-apps/_cluster and you can add a new indexes.conf under the local folder there. Then you can distribute the configuration bundle.

View solution in original post

sim_tcr
Communicator

Thank you for replying Dart. Based on your reply i did following,

On the master at /Splunk/splunk/etc/master-apps/_cluster I created a folder called local and the created an indexes.conf with below entries.

[test]
repFactor=auto
homePath=/Splunk/indexes/test/db/
coldPath=/Splunk/indexes/test/colddb/
thawedPath=/Splunk/indexes/test/thaweddb/

Then in master, I went to settings->Indexer Clustering-Edit->Distribute Configuration Bundle->I clicked Distribute Configuration Bundle.
I saw the file being deployed and then after couple of minutes saw successful message.
I went to indexers and checked I saw that test index is created on all indexers.

Questions:
Now if i want to add a new index called test1 should test entries remain there in master /Splunk/splunk/etc/master-apps/_cluster/local/indexes.conf ?
I saw that while the file was being pushed the splunk on indexers got bounced. Is that normal?
When i go to Indexer Clustering: Master Node on master I am not seeing these new index I created under Indexes tab. Does that mean they are not searchable yet. There are no events on those index yet.

Thanks,
Simon Mandy

sim_tcr
Communicator

here are the answers to my questions.
Now if i want to add a new index called test1 should test entries remain there in master /Splunk/splunk/etc/master-apps/_cluster/local/indexes.conf ?
Yes
I saw that while the file was being pushed the splunk on indexers got bounced. Is that normal?
Yes. Bouncing will happen on one indexer after other. So there is no real outage to splunk.
When i go to Indexer Clustering: Master Node on master I am not seeing these new index I created under Indexes tab. Does that mean they are not searchable yet. There are no events on those index yet.
Once data started flowing in to the index, it becomes available under the index tab.

0 Karma

dart
Splunk Employee
Splunk Employee

You should configure any new indexes by putting an entry in an indexes.conf on the cluster master, then push out the configuration bundle.

The cluster master will have an app under $SPLUNK_HOME/etc/master-apps/_cluster and you can add a new indexes.conf under the local folder there. Then you can distribute the configuration bundle.

satishsdange
Builder

Don't we configure all indexes on a SH? Then deployer will maintain that config across other remaining SH?

0 Karma

dart
Splunk Employee
Splunk Employee

If you want the indexes on your clustered indexers, you use the cluster master

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...