Deployment Architecture

How come my new Index is not showing in DMC?

wendtb
Path Finder

I recently added a new index in Splunk. I am running with 2 clustered indexes. The index is pulling in data, and shows up in DMC, Index > Indexes and Volumes: Deployment tab. However, it doesn't show up in Settings > Data > Indexes on Master, or any search heads.

Index shows up showing data is there using this search

| REST /services/data/indexes
| eval sizeGB = currentDBSizeMB/1024
| eval sizeGB = round(sizeGB, 3)
| table title, sizeGB

Is there a way to get the index to show up in the web GUI?

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

In a multi-server environment its a good idea to create a master copy of the indexes.conf file that contains all your indexes. You then need to manually copy this to all servers (and keep it in sync). There is no in-built synchronization of index names.

If you don't want to do this, then you can just create pretend indexes on the other servers using the UI. When you create these pretend indexes on the other servers, they wont contain data. but it will mean that type-ahead completion and the ability to define data inputs properly will work.

Finally, you can still search the index from the search heads, even though the index does not show up. You won't be able to control permissions to it though.

All the best.

View solution in original post

woodcock
Esteemed Legend

One trick that you can do to see the source XML of any splunk dashboardThe DMC searches start out like this:

| rest splunk_server=$splunk_server$ /services/data/indexes $datatype$
| join type=outer title [| rest splunk_server=$splunk_server$ /services/data/indexes-extended $datatype$]
| `dmc_exclude_indexes`

So you should check out the dmc_exclude_indexes macro. Also see if the splunk_server=$splunk_server$ changes things for you.

P.S. If you add ?showsource=true to any dashboard, Splunk will show you the XML source of the panel, even if the Edit button is not there (but you won't be able to change/save it).

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

In a multi-server environment its a good idea to create a master copy of the indexes.conf file that contains all your indexes. You then need to manually copy this to all servers (and keep it in sync). There is no in-built synchronization of index names.

If you don't want to do this, then you can just create pretend indexes on the other servers using the UI. When you create these pretend indexes on the other servers, they wont contain data. but it will mean that type-ahead completion and the ability to define data inputs properly will work.

Finally, you can still search the index from the search heads, even though the index does not show up. You won't be able to control permissions to it though.

All the best.

Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...