All Apps and Add-ons

How to create a new index in index cluster (6.2.2)

Communicator

Hello,

We are trying to setup a new splunk environment with search head pooling and index clustering with index replication using 6.2.2.
We have 4 search heads which are clustered, a deployment server, 4 indexers which are clustered using a master server.

Now, I want to create a new index named test which needs to be replicated across the indexers.

I read Configure the peer indexes in an indexer cluster. But I am not clear whether the index should be created manually using GUI or putting an entry in the indexes.conf and distributing it as a configuration bundle using master will create the index on all peer indexers.

Can some one explain please?

Thanks,
Simon Mandy

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

You should configure any new indexes by putting an entry in an indexes.conf on the cluster master, then push out the configuration bundle.

The cluster master will have an app under $SPLUNK_HOME/etc/master-apps/_cluster and you can add a new indexes.conf under the local folder there. Then you can distribute the configuration bundle.

View solution in original post

Communicator

Thank you for replying Dart. Based on your reply i did following,

On the master at /Splunk/splunk/etc/master-apps/_cluster I created a folder called local and the created an indexes.conf with below entries.

[test]
repFactor=auto
homePath=/Splunk/indexes/test/db/
coldPath=/Splunk/indexes/test/colddb/
thawedPath=/Splunk/indexes/test/thaweddb/

Then in master, I went to settings->Indexer Clustering-Edit->Distribute Configuration Bundle->I clicked Distribute Configuration Bundle.
I saw the file being deployed and then after couple of minutes saw successful message.
I went to indexers and checked I saw that test index is created on all indexers.

Questions:
Now if i want to add a new index called test1 should test entries remain there in master /Splunk/splunk/etc/master-apps/_cluster/local/indexes.conf ?
I saw that while the file was being pushed the splunk on indexers got bounced. Is that normal?
When i go to Indexer Clustering: Master Node on master I am not seeing these new index I created under Indexes tab. Does that mean they are not searchable yet. There are no events on those index yet.

Thanks,
Simon Mandy

0 Karma

Communicator

here are the answers to my questions.
Now if i want to add a new index called test1 should test entries remain there in master /Splunk/splunk/etc/master-apps/_cluster/local/indexes.conf ?
Yes
I saw that while the file was being pushed the splunk on indexers got bounced. Is that normal?
Yes. Bouncing will happen on one indexer after other. So there is no real outage to splunk.
When i go to Indexer Clustering: Master Node on master I am not seeing these new index I created under Indexes tab. Does that mean they are not searchable yet. There are no events on those index yet.
Once data started flowing in to the index, it becomes available under the index tab.

0 Karma

Splunk Employee
Splunk Employee

You should configure any new indexes by putting an entry in an indexes.conf on the cluster master, then push out the configuration bundle.

The cluster master will have an app under $SPLUNK_HOME/etc/master-apps/_cluster and you can add a new indexes.conf under the local folder there. Then you can distribute the configuration bundle.

View solution in original post

Builder

Don't we configure all indexes on a SH? Then deployer will maintain that config across other remaining SH?

0 Karma

Splunk Employee
Splunk Employee

If you want the indexes on your clustered indexers, you use the cluster master

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!