All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk CIM index contraints

joshfenton01
Explorer
‎01-16-2017 03:42 AM

In a distributed environment why does the splunk cim setup screen only see the indexes defined on the local search head, not all indexes that exist across the deployment? All other functions work as expected, though i'd like to lower search I/O by using the constrain index configuration of the CIM.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jwelch_splunk
Splunk Employee
Splunk Employee
‎01-17-2017 05:40 AM

CIM Setup and type ahead work off the local indexes.conf

Even though the SH does not index data, it is very important to have a "complete" indexes.conf on your SH for the two reasons I listed above.

I would recommend that you have an indexes.conf app to push to all search heads from your deployer and/or deployement server.

At present Splunk Distributed search cannot see what is on the "peers" for indexes ,and thus the need for a local indexes.conf that is all inclusive of what you have on the peers.

If you don't want to do this, you can modify the macros by hand for CIM rather than using the CIM Setup.

You can go to settings / Data Models / here you can click on each data model and see in the constraint which macro the DM is using, and then you can modify that under

Settings/Advanced Search/Macros

View solution in original post

Reply
Solved! Jump to solution
Solution

jwelch_splunk
Splunk Employee
Splunk Employee
‎01-17-2017 05:40 AM

CIM Setup and type ahead work off the local indexes.conf

Even though the SH does not index data, it is very important to have a "complete" indexes.conf on your SH for the two reasons I listed above.

I would recommend that you have an indexes.conf app to push to all search heads from your deployer and/or deployement server.

At present Splunk Distributed search cannot see what is on the "peers" for indexes ,and thus the need for a local indexes.conf that is all inclusive of what you have on the peers.

If you don't want to do this, you can modify the macros by hand for CIM rather than using the CIM Setup.

You can go to settings / Data Models / here you can click on each data model and see in the constraint which macro the DM is using, and then you can modify that under

Settings/Advanced Search/Macros

Reply
Solved! Jump to solution

joshfenton01
Explorer
‎01-18-2017 08:09 AM

Is there any potential that this functionality will eventually be moved into the code instead of having the one off app that needs to be managed?

0 Karma
Reply
Solved! Jump to solution

jwelch_splunk
Splunk Employee
Splunk Employee
‎01-18-2017 08:29 AM

You can manage the filters from within ES

Configure / CIM Setup

The CIM App can be used both with or without ES. So my guess to your question is no.

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎01-16-2017 04:08 AM

I wouldn't do directly via UI. But would do it in the staging Server -> then push it to deployer -> then to search head cluster
This way all your environments can get the same package

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...