Is it necessary to have index definitions in Clust...

strive · ‎01-24-2018

Hi,

I was checking some old splunk distributed environment. I found a comment in the indexes.conf.template that was present in /opt/splunk/etc/system/local/ directory of cluster master. The comment is "Local indexes with the same names as the indexes on the Indexers have to exist otherwise Splunk will not allow the saved search to reference them".

I doubt if it is true. If it is true then is it a bug or in which version of splunk it is required?

Note: Definitely data wont be stored on cluster master, it is just that the index definitions should be present.

I was wondering is it something similar to defining index in Search Head to log alert events. I had raised this as a comment and a bug has been logged for this -- Please see comments section http://docs.splunk.com/Documentation/Splunk/7.0.1/Alert/LogEvents

Thanks,
Strive

skalliger · ‎01-26-2018

Hi,

no, you do not need a definition under $SPLUNK_HOME$/etc/system/local. You only need those indexes stored in $SPLUNK_HOME$/etc/master-apps/_cluster/local for pushing them to the indexers.

Skalli

ddrillic · ‎01-26-2018

Absolutely. The official documentation at Update common peer configurations and apps

Is it necessary to have index definitions in Cluster Master

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024