Deployment Architecture

Indexes are not creating after apply Cluster-Bundle

Hello,

After several trial and error, I can not sort out the issue for additional Indexes creation for cluster peers. As per the docs, i prefer to create indexes.conf under master-app of cluster master and then run splunk apply cluster-bundle. As a result I can see the apps pushed to slave-apps of each index. But under indexes, no addition index has been created. Am i missing any configuration. Below are the details.

@CLUSTER-MASTER:

[splunker@CM01_152 ~]$ cat /opt/splunk/etc/master-apps/my_cluster_indexes/indexes.conf
[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 600
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 300
repFactor = auto

[splunker@CM01_152 ~]$ /opt/splunk/bin/splunk apply cluster-bundle
Created new bundle with checksum=B537979883FDCEF82CC3F5035C811E56

Applying new bundle. The peers may restart depending on the configurations in applied bundle.

@CLUSTER-PEER:

[splunker@IDX01_153 ~]$ cat /opt/splunk/etc/slave-apps/my_cluster_indexes/indexes.conf
[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 600
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 300
repFactor = auto

NOTE THAT, I HAVE GIVEN PERMISSION 755 TO USER SPLUNKER ON /OPT/FROZEN/TEST

No error or warning massage at Distribute Configuration Bundle from Cluster Master Node. Even after restart cluster master and rolling restart for cluster-peers not showing me additional index at cluster peer.

0 Karma
1 Solution

Influencer

You need to put your indexes.conf under /opt/splunk/etc/master-apps/_cluster/local/indexes.conf

After you've made the change, and pushed the new bundle, you can verify that the index exists on a cluster peer by running the following on one of the peers:

splunk cmd btool indexes list

Also note that the index will not show up in the cluster master's indexes list until the new index has some data in it.

View solution in original post

0 Karma

Influencer

You need to put your indexes.conf under /opt/splunk/etc/master-apps/_cluster/local/indexes.conf

After you've made the change, and pushed the new bundle, you can verify that the index exists on a cluster peer by running the following on one of the peers:

splunk cmd btool indexes list

Also note that the index will not show up in the cluster master's indexes list until the new index has some data in it.

View solution in original post

0 Karma

Hi masonmorales,

Sorry for the typo of my previous post. I actually put my indexes.conf under local of "my_cluster_indexes" app of Cluster-Master. But I will try to follow your suggestion as you put it under local of _cluster app.

But my question is, will that index name as "test" can been seen from Cluster-Peers.

If the answer is simply NO, then it is fine for me. But if the answer is YES, then it is a problem for me.

Hope you can understand my doubt.

0 Karma

Influencer

I'm not exactly sure what you mean by, "can be seen from cluster-peers", or why it would be a problem. Could you explain a little further?

The cluster bundle gets pushed from the cluster master to each of the cluster peers, so they all receive a copy of the indexes.conf file.

0 Karma

Influencer

Update: Based on the configurations you added to your question, you should be able to send data into the new index now. The index will not show up in Splunk Web until some events have been added to it.

0 Karma