Scenario: I have a searchhead and two idx in a cluster. there is an index (index_a) defined in the cluster. Until now I always deployed a copy of the indexes.conf with a mock index on the SH, for example to manage role permissions for it. This was helpful to show the index in the role definition. However in this deployment there is no such indexes.conf file where index_a is defined on the SH, but the index still shows up in the configuration UI. All instances have Splunk Enterprise 9.0.5.1 installed
Problem: I have a new Index that I defined after index_a. It is called index_b. index_b doesn't show up in the roles definition for some reason.
What I tried: I looked up the name of index_a in the config files of the searchhead. The only appearance is in system/local/authorize.conf. I also compared the index definitions on the CM including file permission settings. The two configurations only differ in index name and app.
I also set up a test environment with one indexer and one searchhead. I created one index on the IX and it appeared on the SH role definition some time later without me configuring anything. Again I verified if the name of the index appears anyway in the SHs configs, but it didn't.
Question: Is there a new feature which makes the mock definitions in the SH obsolete? I am aware that I can solve this with this approach but it appears to be a nicer way to do it like it is done with index_a
Hi
have you try to
splunk btool indexes list --debug
and look if it’s there and where/in which file it (index_a) has defined.
I suppose that there haven’t any index_b definitions.
r. Ismo
Yes as I said in my post I checked the config files and there are no definitions of both indexes on the SH. Only on the IX and on the IX they are identical except the name.
You said the You have looked those, but You haven't said how. There are several ways to look those are some are better and some a not so good. Even btool shows only those configurations what are in disk, but not those which you have in running splunkd. But I expecting that this is still enough close to to reality. Of course you could restart splunkd or use e.g. rest api to get running versions.
Basically Splunk GUI (I expecting that you are talking about Users&roles settings?) cannot show anything what it haven' t on it's configurations locally!
You said that you haven't seen those on with
splunk btool indexes list --debug|egrep '\[.*\]'
How about this
splunk btool authorize list --debug |egrep '(\[.*\]|Indexes)'|egrep -v capability
Can it found the index_a, but not index_b?
I said "config files" followed by an actual config file path in my first post. But for clarification. I check it with `btool` and `show config`. I am also aware that the config files are not automatically active if I change them on disc. I do a restart (Not debug refresh) if I change anything on disk. I also keep track of the restarts. The SH is also not part of a SH cluster which could also be a source of confusion. I don't use any other remote managing agents which could change the files.
About the two commands you kindly provided. Neither `splunk btool` or `splunk show config` has the indexes definition for index_a or index_b on the SH. Only on the IX. Authorization is set only for index_a in etc/systems/local/authorization.conf for a specific group. Please take note that I cant just post the outputs of the commands because there is some confidential information within.