Archive

How to move index defination from one app to another app ?

Builder

Experts,

I know this is very simple but somehow I am not able to achieve it . I have created one index in search app and now I want to move it to another app . This is what I have done so far

1) Stop splunk
2) cut the stenza from /splunkhome/etc/app/search/indexes.conf

[windows]
coldPath = $SPLUNK_DB\windows\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\windows\db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB\windows\thaweddb

3) paste this under /splunkhome/etc/apps/win/indexes.conf
4) start splunk

Now When I am checking the index in the setting windows index is gone . Not sure what is missing here ?

Reagrds
VG

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

hey @vikas_gopal

Please follow the below steps to move index from one app to another app.

1) Stop Splunk
2) go to splunkhome/etc/app/search/indexes.conf (the directory where you saved your .conf file)
3) write mv indexes.conf /opt/splunk/etc//local/
4) check if the file is moved or not.
5) restart splunk

I hope this solves your problem.

0 Karma

Motivator

What permission did you set for this index? You need to provide it under $SPLUNK_HOME/etc/apps/search/metadata/local.meta or
$SPLUNK_HOME/etc/apps/search/metadata/default.meta

[indexes/cmx]
owner = admin
version = 6.5.0
modtime = 1487359650.296835000

Version and modtime can be ignored.

0 Karma

Splunk Employee
Splunk Employee

This is not necessary for indexes.conf configurations.

0 Karma

Splunk Employee
Splunk Employee

Issue here is where you have your indexes.conf file actually located.

/splunkhome/etc/app/search/indexes.conf

This should actually be under /splunkhome/etc/apps/APPNAME/local/indexes.conf.

Most likely, you copied it out of that location on the search app, but the Win app didnt have a local directory, so this file ended up in the apps home directory. Move it and restart!

0 Karma

SplunkTrust
SplunkTrust

Some things you can check:

  • Check the file permission of the new indexes.conf
  • run $SPLUNK_HOME/bin/splunk list index and see if your index is in the list
  • run $SPLUNK_HOME/bin/splunk btool indexes list <yourindexnamehere> to see if Splunk uses your config file
  • Check App / config file precedence, maybe your config is not applied

cheers, MuS

0 Karma

Builder

on Splunk Web I am getting below error as well
Received event for unconfigured/disabled/deleted index=windows with source="source::disk" host="host::DESKTOP-CVGTF3S" sourcetype="sourcetype::WinHostMon". So far received events from 1 missing index(es).

0 Karma

SplunkTrust
SplunkTrust

Is this a clustered environment? If so you should be modifying indexes.conf on cluster master in an app under splunkhome/etc/master-apps

0 Karma

SplunkTrust
SplunkTrust

If this is just for your search head, then the error is from not having the index defined on your indexers.

0 Karma

Builder

Neither it is a cluster environment nor my indexer and search head are on different machine .It is a dev machine so all the components are on same machine that is search head and indexer.

0 Karma

Builder

for alternate i can create new app then create new index within this app. But I want to test if i already have index in search app and later I want to move it to my newly created app then I am facing an issue . Saw many answers on the same topic and I followed the instructions but no success .
Something like this
https://answers.splunk.com/answers/174843/how-to-move-an-index-to-another-app.html

0 Karma

SplunkTrust
SplunkTrust

It’s fine to put indexes.conf in any app so long as you restart after

0 Karma