All Apps and Add-ons

How to move index defination from one app to another app ?

vikas_gopal
Builder

Experts,

I know this is very simple but somehow I am not able to achieve it . I have created one index in search app and now I want to move it to another app . This is what I have done so far

1) Stop splunk
2) cut the stenza from /splunkhome/etc/app/search/indexes.conf

[windows]
coldPath = $SPLUNK_DB\windows\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\windows\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\windows\thaweddb

3) paste this under /splunkhome/etc/apps/win/indexes.conf
4) start splunk

Now When I am checking the index in the setting windows index is gone . Not sure what is missing here ?

Reagrds
VG

Tags (1)
0 Karma

mayurr98
Super Champion

hey @vikas_gopal

Please follow the below steps to move index from one app to another app.

1) Stop Splunk
2) go to splunkhome/etc/app/search/indexes.conf (the directory where you saved your .conf file)
3) write mv indexes.conf /opt/splunk/etc//local/
4) check if the file is moved or not.
5) restart splunk

I hope this solves your problem.

0 Karma

hardikJsheth
Motivator

What permission did you set for this index? You need to provide it under $SPLUNK_HOME/etc/apps/search/metadata/local.meta or
$SPLUNK_HOME/etc/apps/search/metadata/default.meta

[indexes/cmx]
owner = admin
version = 6.5.0
modtime = 1487359650.296835000

Version and modtime can be ignored.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This is not necessary for indexes.conf configurations.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Issue here is where you have your indexes.conf file actually located.

/splunkhome/etc/app/search/indexes.conf

This should actually be under /splunkhome/etc/apps/APPNAME/local/indexes.conf.

Most likely, you copied it out of that location on the search app, but the Win app didnt have a local directory, so this file ended up in the apps home directory. Move it and restart!

0 Karma

MuS
SplunkTrust
SplunkTrust

Some things you can check:

  • Check the file permission of the new indexes.conf
  • run $SPLUNK_HOME/bin/splunk list index and see if your index is in the list
  • run $SPLUNK_HOME/bin/splunk btool indexes list <yourindexnamehere> to see if Splunk uses your config file
  • Check App / config file precedence, maybe your config is not applied

cheers, MuS

0 Karma

vikas_gopal
Builder

on Splunk Web I am getting below error as well
Received event for unconfigured/disabled/deleted index=windows with source="source::disk" host="host::DESKTOP-CVGTF3S" sourcetype="sourcetype::WinHostMon". So far received events from 1 missing index(es).

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is this a clustered environment? If so you should be modifying indexes.conf on cluster master in an app under splunkhome/etc/master-apps

0 Karma

jkat54
SplunkTrust
SplunkTrust

If this is just for your search head, then the error is from not having the index defined on your indexers.

0 Karma

vikas_gopal
Builder

Neither it is a cluster environment nor my indexer and search head are on different machine .It is a dev machine so all the components are on same machine that is search head and indexer.

0 Karma

vikas_gopal
Builder

for alternate i can create new app then create new index within this app. But I want to test if i already have index in search app and later I want to move it to my newly created app then I am facing an issue . Saw many answers on the same topic and I followed the instructions but no success .
Something like this
https://answers.splunk.com/answers/174843/how-to-move-an-index-to-another-app.html

0 Karma

jkat54
SplunkTrust
SplunkTrust

It’s fine to put indexes.conf in any app so long as you restart after

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...