Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Having to restart index cluster

johannamayer
New Member
‎01-20-2022 01:49 AM

Hi Splunkers, I am experiencing issues with an index cluster and it would be great if you could help me out.

Every time I change or create an index a restart is required and it takes up to an hour until all the indexers are ready again. This used to work without a restart and only started happening after an upgrade at some point. I found this, but that doesn't say anything about creating indexes.

Do you have an idea where this is coming from exactly and if it can be avoided in some way? Since changes are made weekly, it is really annoying.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2022 02:10 AM

Hi @johannamayer,

Index creation isn't an activity that usually is frequently performed and usually should be planned and executed when there something relevant change (e.g. new sources or new requirements).

If you frequently (also weekly creation is a strange fequency!) need to create new indexes probably there a wrong interpretation of the index concept:

an index is a container where logs are stored, you can create indexes for each technology you ingest but you can also put different technologies in the same index, the aspect to consider in index definition are:

  • retention,
  • access grants.

in other words, you have to put in the same index logs with the same retention period and the same access grants, if you have logs with different repetion periods or different access grants, you have to put them in different indexes, in other words indexes aren't database tables, they are conteiners, the log definition is done with the sourcetype and there is no sense to create e.g. an index for the same logs with the week definition in the name.

Anyway, answering to your question, you can also delay your rolling restart but until the restart is completed the new indexes aren't obviously available!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...