How to disable an index on a Cluster Master using ...

dhernandez · ‎10-03-2023

Hello,

I'm working with a Splunk cluster which has two slave peers and I need to disable an index on the Cluster Master using the REST API. I've tried the usual endpoint (/servicesNS/nobody/{app}/configs/conf-indexes/{index}) as this doc says (https://docs.splunk.com/Documentation/Splunk/8.0.0/RESTREF/RESTconf#configs.2Fconf-.7Bfile.7D.2F.7Bs... ), but it doesn't seem to work on the Cluster Master.

Can someone please provide me with the specific REST API endpoint I should use to disable an index on the Cluster Master? I have read the documentation https://docs.splunk.com/Documentation/Splunk/8.0.0/RESTREF/RESTcluster but there is no reference to what I need.

Thank you in advance for your assistance

richgalloway · ‎10-03-2023

One problem is the CM does not manage indexes. It manages indexers (search peers), buckets, and apps. To disable an index you need to modify indexes.conf in an app in $SPLUNK_HOME/etc/cluster/apps and then apply the cluster bundle.

There is a REST endpoint for applying the bundle (cluster/manager/control/default/apply). There also is a REST endpoint for installing and updating apps (apps/local), but it can't touch the etc/cluster/apps directory.

---
If this reply helps you, Karma would be appreciated.

How to disable an index on a Cluster Master using REST API

indexer clustering

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?