Deployment Architecture

How to create new index in index cluster?

ze271021
Loves-to-Learn Everything

Hello,

I have an issue regarding the creation of a new index.

I want to create a new index to receive logs form NPS servers. 

First, I created a new app for NPS in the deployment-apps in the master server but I created the new folder for the app and edited everytihng with a root user. I assigned the app to a new server class in the master server.

I installed the UF on NPS servers and they are successfully connected to the deployment server. I added the, the new server class.

Now I am getting the error that index= radius (defined in the new app created) dos not exist.

So, I went to the master-apps in the master server , the previous defined indexes are present in the  directory  X other than _cluster, I added the index radius in the local file of the Directory X . I validated  the conf and push and all the indexes in the indexer cluster have the same config but the index radius is not present.

I did all the modification using the root user.

Can anyone advise  me to know the issue ?

Thank you.

 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ze271021,

there could be two issues to check:

at first check if the index was created on indexers, if not you have to control the indexes.conf file in the "master-apps" folder of the Master Node server.

if yes, probably the issue is in the app deployed to Universal Fowarders or in the UF configuration.

At first check how you configured the UFs' outputs.conf, that's used to address the indexers to send logs.

then try againg because until you don't have data, you don't see the index in the Master Node list (in GUI).

Al last check, verify if the pointing to the logs in the NTP servers is correct (inputs.conf in the deployed app).

Ciao.

Giuseppe

 

0 Karma

ze271021
Loves-to-Learn Everything

Hi @gcusello ,

Thank you for the reply.

I noticed that I made a mistake in the inputs.conf and props.conf in the new app created.I modified the mistake. I am waiting for the data to be present on the search head since the NPS servers are succesfully connected. Also, the error messages disappears but still the index radius is not present.

Thanks.

 

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ze271021,

even if you identified a mistake in inputs,conf, repeat the checks I hinted in my previous message, these are the possible issue cause.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...