Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Move Index Configeration Entry

hartfoml
Motivator
‎05-17-2013 10:31 AM

I used the CLI to create two indexes.

The entry was put in the splunk/etc/apps/search/local/index.conf file
I wanted it in the splunk/etc/system/local/index.conf file

Does this make a difference???
If I need to how can i move the config info to the new config file without breaking the index or deleting and recreating?

What did I do wrong that it created the indexes in the search app rather than in the system folder?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-17-2013 12:32 PM

Ah, rest easy. You can move the configuration to /etc/system/local. This is just the definition of the index, not the index itself. No need to clean/re-index.

Oh, and by the way, you did nothing wrong. In this case it does not really make a difference, since the 'search' app cannot be disabled. However, I for one like to have these types (index-time related) of conf in one place, and I prefer to edit by hand so I know where they are. Other types, like of conf, like field extractions, eventtypes, saved searches etc can, and often should, be set in different apps.

See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles

To 'fix' this:
1. Stop splunk.
2. Move the file (or rather the contents, as you might already have an indexes.conf in /etc/system/local).
3. Start splunk.

/k

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-17-2013 12:32 PM

Ah, rest easy. You can move the configuration to /etc/system/local. This is just the definition of the index, not the index itself. No need to clean/re-index.

Oh, and by the way, you did nothing wrong. In this case it does not really make a difference, since the 'search' app cannot be disabled. However, I for one like to have these types (index-time related) of conf in one place, and I prefer to edit by hand so I know where they are. Other types, like of conf, like field extractions, eventtypes, saved searches etc can, and often should, be set in different apps.

See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles

To 'fix' this:
1. Stop splunk.
2. Move the file (or rather the contents, as you might already have an indexes.conf in /etc/system/local).
3. Start splunk.

/k

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-20-2013 10:22 PM

Don't think so. You can edit the files before you stop/restart. So it's only a stop for about a minute or so.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎05-20-2013 07:48 AM

Thanks so much for the help and this is probably the correct answer. I can't test it because I can't stop spunkd during the work day. Do you know of a way to update the info without stopping the service???

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...