I know this is very simple but somehow I am not able to achieve it . I have created one index in search app and now I want to move it to another app . This is what I have done so far
1) Stop splunk
2) cut the stenza from /splunkhome/etc/app/search/indexes.conf
[windows] coldPath = $SPLUNK_DB\windows\colddb enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = $SPLUNK_DB\windows\db maxTotalDataSizeMB = 512000 thawedPath = $SPLUNK_DB\windows\thaweddb
3) paste this under /splunkhome/etc/apps/win/indexes.conf
4) start splunk
Now When I am checking the index in the setting windows index is gone . Not sure what is missing here ?
Please follow the below steps to move index from one app to another app.
1) Stop Splunk
2) go to splunkhome/etc/app/search/indexes.conf (the directory where you saved your .conf file)
3) write mv indexes.conf /opt/splunk/etc//local/
4) check if the file is moved or not.
5) restart splunk
I hope this solves your problem.
What permission did you set for this index? You need to provide it under $SPLUNK_HOME/etc/apps/search/metadata/local.meta or
[indexes/cmx] owner = admin version = 6.5.0 modtime = 1487359650.296835000
Version and modtime can be ignored.
Issue here is where you have your indexes.conf file actually located.
This should actually be under /splunkhome/etc/apps/APPNAME/local/indexes.conf.
Most likely, you copied it out of that location on the search app, but the Win app didnt have a local directory, so this file ended up in the apps home directory. Move it and restart!
Some things you can check:
$SPLUNK_HOME/bin/splunk list indexand see if your index is in the list
$SPLUNK_HOME/bin/splunk btool indexes list <yourindexnamehere>to see if Splunk uses your config file
on Splunk Web I am getting below error as well
Received event for unconfigured/disabled/deleted index=windows with source="source::disk" host="host::DESKTOP-CVGTF3S" sourcetype="sourcetype::WinHostMon". So far received events from 1 missing index(es).
Neither it is a cluster environment nor my indexer and search head are on different machine .It is a dev machine so all the components are on same machine that is search head and indexer.
for alternate i can create new app then create new index within this app. But I want to test if i already have index in search app and later I want to move it to my newly created app then I am facing an issue . Saw many answers on the same topic and I followed the instructions but no success .
Something like this