Deployment Architecture

How come my new Index is not showing in DMC?

wendtb
Path Finder

I recently added a new index in Splunk. I am running with 2 clustered indexes. The index is pulling in data, and shows up in DMC, Index > Indexes and Volumes: Deployment tab. However, it doesn't show up in Settings > Data > Indexes on Master, or any search heads.

Index shows up showing data is there using this search

| REST /services/data/indexes
| eval sizeGB = currentDBSizeMB/1024
| eval sizeGB = round(sizeGB, 3)
| table title, sizeGB

Is there a way to get the index to show up in the web GUI?

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

In a multi-server environment its a good idea to create a master copy of the indexes.conf file that contains all your indexes. You then need to manually copy this to all servers (and keep it in sync). There is no in-built synchronization of index names.

If you don't want to do this, then you can just create pretend indexes on the other servers using the UI. When you create these pretend indexes on the other servers, they wont contain data. but it will mean that type-ahead completion and the ability to define data inputs properly will work.

Finally, you can still search the index from the search heads, even though the index does not show up. You won't be able to control permissions to it though.

All the best.

View solution in original post

woodcock
Esteemed Legend

One trick that you can do to see the source XML of any splunk dashboardThe DMC searches start out like this:

| rest splunk_server=$splunk_server$ /services/data/indexes $datatype$
| join type=outer title [| rest splunk_server=$splunk_server$ /services/data/indexes-extended $datatype$]
| `dmc_exclude_indexes`

So you should check out the dmc_exclude_indexes macro. Also see if the splunk_server=$splunk_server$ changes things for you.

P.S. If you add ?showsource=true to any dashboard, Splunk will show you the XML source of the panel, even if the Edit button is not there (but you won't be able to change/save it).

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

In a multi-server environment its a good idea to create a master copy of the indexes.conf file that contains all your indexes. You then need to manually copy this to all servers (and keep it in sync). There is no in-built synchronization of index names.

If you don't want to do this, then you can just create pretend indexes on the other servers using the UI. When you create these pretend indexes on the other servers, they wont contain data. but it will mean that type-ahead completion and the ability to define data inputs properly will work.

Finally, you can still search the index from the search heads, even though the index does not show up. You won't be able to control permissions to it though.

All the best.

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...