Is there a best way to rename a Splunk indexer ser...

cdavidy · ‎04-14-2010

I've been asked to look into renaming my Splunk indexer server (don't ask why). Is there a "best" or safe method for doing this? On reviewing the config files, it doesn't appear complicated, but I wanted to make sure I wasn't missing something. Thanks.

gkanapathy · ‎04-14-2010

The only places you need to change, unless you've added configurations yourself to the indexer are in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf. These are the files that are updated if you change the name(s) in Manager, System Settings, Splunk server name and Default host name, respectively.

If you change the DNS name and other machines (forwarders, sysloggers) send to it, of course they will need to be updated. Note also that any indexed data that refers to the old host name will not and can not be updated.

BunnyHop · ‎04-14-2010

You can either do it from the config file (indexes.conf) or through the GUI (Manager > Indexes). Keep in mind if you do rename the index and you have setup inputs to go in that index, you will have to reconfigure those input to point to the new name of the index.

Is there a best way to rename a Splunk indexer server?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...