Solved: After adding a new index in indexes.conf, why is t...

prianticoy · ‎01-11-2016

Hi!!!

I have a big problem with the index replication in the Indexer cluster.

I add a new index in the indexes.conf file (splunk_home/etc/system/local). I did this in the master node, however, the index is not replicated into the peers (3 peers, repfactor=3)...

I already edit the indexes.conf in splunk_home/etc/system/master-apps/_cluster/local , and after that I restart the master node, but nothing works...

Do you have some tip for me?

Thanks!!!

renjith_nair · ‎01-11-2016

The process to add a new index to indexer cluster is

Add the index details to $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf
Make sure that repFactor=auto in included in the index stanza
Distribute the new indexes.conf file to the peers by applying cluster bundle.

This will push the configuration to peers and indexes.conf in slave-apps directory of peers

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configurethepeerindexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Updatepeerconfigurations#Distribute_the_co...

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

gavsdavs_GR · ‎04-20-2017

Out of interest, is the _cluster directory there for some special system reason ?

We distribute indexes.conf and parsing apps for the indexers by putting them in apps under master-apps and we've never done anything with the files under _cluster.

You recommend putting configs in _cluster (in here: http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Updatepeerconfigurations#Distribute_the_co...),

rather than appifying/containerizing all configs as per your normal best practice ?

It strikes me as something you (Splunk) are likely to update as you release new versions and add indexes (for example, _telemetry).

I'd call this a system directory, not a user manageable directory.

Soooo...I was just wondering why it's there.

renjith_nair · ‎01-11-2016

The process to add a new index to indexer cluster is

Add the index details to $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf
Make sure that repFactor=auto in included in the index stanza
Distribute the new indexes.conf file to the peers by applying cluster bundle.

This will push the configuration to peers and indexes.conf in slave-apps directory of peers

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configurethepeerindexes
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Updatepeerconfigurations#Distribute_the_co...

---
What goes around comes around. If it helps, hit it with Karma 🙂

prianticoy · ‎01-12-2016

Hi! and thanks for your answer!

However, I already did that, and didn't work...

Do you know some other troubleshoot for this issue?

renjith_nair · ‎01-12-2016

What's the status of cluster apply bundle command?
Check in your master's and indexer's log file to see if its throwing any errors for bundle distribution
Check in your indexer's slave-apps/_cluster/local or default directory if the indexes.conf has been updated

---
What goes around comes around. If it helps, hit it with Karma 🙂

prianticoy · ‎01-13-2016

Hi, thanks for your time! I already configure the index and now replication is working fine.

Thanks!

renjith_nair · ‎01-13-2016

Just out of curiosity, what was the problem ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

prianticoy · ‎01-11-2016

I already distributed the config trouhg the master node...

Do you have some tip? please!

After adding a new index in indexes.conf, why is this index not being replicated in my Splunk 6.3.2 indexer cluster?

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...