Experts,
I know this is very simple but somehow I am not able to achieve it . I have created one index in search app and now I want to move it to another app . This is what I have done so far
1) Stop splunk
2) cut the stenza from /splunkhome/etc/app/search/indexes.conf
[windows]
coldPath = $SPLUNK_DB\windows\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\windows\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\windows\thaweddb
3) paste this under /splunkhome/etc/apps/win/indexes.conf
4) start splunk
Now When I am checking the index in the setting windows index is gone . Not sure what is missing here ?
Reagrds
VG
hey @vikas_gopal
Please follow the below steps to move index from one app to another app.
1) Stop Splunk
2) go to splunkhome/etc/app/search/indexes.conf (the directory where you saved your .conf file)
3) write mv indexes.conf /opt/splunk/etc//local/
4) check if the file is moved or not.
5) restart splunk
I hope this solves your problem.
What permission did you set for this index? You need to provide it under $SPLUNK_HOME/etc/apps/search/metadata/local.meta or
$SPLUNK_HOME/etc/apps/search/metadata/default.meta
[indexes/cmx]
owner = admin
version = 6.5.0
modtime = 1487359650.296835000
Version and modtime can be ignored.
This is not necessary for indexes.conf configurations.
Issue here is where you have your indexes.conf file actually located.
/splunkhome/etc/app/search/indexes.conf
This should actually be under /splunkhome/etc/apps/APPNAME/local/indexes.conf.
Most likely, you copied it out of that location on the search app, but the Win app didnt have a local directory, so this file ended up in the apps home directory. Move it and restart!
Some things you can check:
indexes.conf
$SPLUNK_HOME/bin/splunk list index
and see if your index is in the list$SPLUNK_HOME/bin/splunk btool indexes list <yourindexnamehere>
to see if Splunk uses your config filecheers, MuS
on Splunk Web I am getting below error as well
Received event for unconfigured/disabled/deleted index=windows with source="source::disk" host="host::DESKTOP-CVGTF3S" sourcetype="sourcetype::WinHostMon". So far received events from 1 missing index(es).
Is this a clustered environment? If so you should be modifying indexes.conf on cluster master in an app under splunkhome/etc/master-apps
If this is just for your search head, then the error is from not having the index defined on your indexers.
Neither it is a cluster environment nor my indexer and search head are on different machine .It is a dev machine so all the components are on same machine that is search head and indexer.
for alternate i can create new app then create new index within this app. But I want to test if i already have index in search app and later I want to move it to my newly created app then I am facing an issue . Saw many answers on the same topic and I followed the instructions but no success .
Something like this
https://answers.splunk.com/answers/174843/how-to-move-an-index-to-another-app.html
It’s fine to put indexes.conf in any app so long as you restart after