I just updated to the latest version of Splunk and the Splunk DB Connect 2.2.0 app and noticed that when I create a new DB Input, I am unable to select my custom indexes from the list. The only ones available are: history (default), main, splunklogger, and summary. I have to edit the /opt/splunk/etc/apps/splunkappdb_connect/local/inputs.conf and manually type in my custom index. This didn't happen on the previous versions.
I don't know why this change was made, and you certainly can work around it using the manual inputs change like you said, but you can also just create the same index name on the local search head to get the name to show up in the list. The data will still be sent to your indexers if everything else is configured correctly; if you are concerned you can always adjust your initial import to a smaller batch.
I use the same solution you do, but I thought I would mention the above alternative. I had to do the same thing with Stream when I set it up, and I didn't find anything in the documentation to suggest I did something wrong.
I am new to splunk, I am also facing the same issue.
Can you tell me how did you add the custom index at /opt/splunk/etc/apps/splunkappdb_connect/local/inputs.conf ?
Did you just change the index name or it is something else as well?
I tried changing only the index name, it did not work for me 😞
Can you please help?
Yes, you should only have to change the index name in the inputs.conf file. Same thing with host. Since the change affects indexing, you will likely need to restart Splunk to apply the change. Most of the time I create the new input from the conf file directly and restart Splunk, rather than create it from the DBX app, but then I don't work with it that much.
You mean to say restart splunk on the server that is the indexer in my case through command line , am I correct?
Restart Splunk via CLI or through the web (Server Controls) on the server that contains the inputs.conf file; wherever DBX is installed. So if you only have one server, or if DBX is installed on the indexer, then yes. I think it's best practice to place collectors tools like this on another Search Head though.
Thank you, that worked.
One more question, If I directly configure the new input in the input.conf manually, will I still have to restart splunk for the changes to take effect? Also, will the new input be visible on the UI?
Yes, any change to an inputs.conf file that affect indexing typically requires a reboot of Splunk.
Yes, the new input will be visible under the DBX configuration once you've added it in.