Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Add Data - only default indexes

detrue
New Member
‎03-21-2026 02:05 PM

I have a distributed deployment with a SHC and a IC.  I have added the index to the manager and pushed the new index to the index members.  I went to each index member and verified the new custom indexes are there and active.  I am logging in as admin on one of the index members and trying to add data via a file in the add data wizard.  When i get to choosing the index, only the default indexes are listed there.  The custom indexes are not there.  I have tried to manually updating the indexes.conf file on the SHs as read in another post but that didnt help.

 

Labels (1)
Labels
0 Karma
Reply

kknairr
Contributor
‎03-22-2026 09:20 AM

@detrue - One point I would like to clarify with you is what’s the reason for logging into the indexer’s UI to add data? In most Splunk distributed deployments, data ingestion is typically handled by forwarders or heavy forwarders, and indexes are created on the indexers for storage. The Add Data wizard is usually run on a search head or a standalone heavy forwarder during testing or small-scale ingestion, not directly on an indexer.

To make custom indexes selectable, you need to deploy the same indexes.conf stanzas to the SHC via the deployer so that the UI is aware of them or create a new index locally on the standalone Heavy forwarder instance to properly map it since the indexes you define on Indexer Cluster won't get propagated to other layers in a Splunk distributed environment. 

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️ 

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-22-2026 09:19 AM

Hi @detrue ,

by default, a Search Head cannot see the indexers on remote indexers.

For this reason, it's a PS best practice that the org_all_indexes app, containing the indexes.conf file, will be deployed both to Indexers and Search Heads, even if on the SHs there isn't any active index.

In this way, you can see on the SHs all the active indexes.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...