Deployment Architecture

Making indexes available to searchhead without indexes.conf

Brainizer
Engager

Scenario: I have a searchhead and two idx in a cluster. there is an index (index_a) defined in the cluster. Until now I always deployed a copy of the indexes.conf with a mock index on the SH, for example to manage role permissions for it.  This was helpful to show the index in the role definition. However in this deployment there is no such indexes.conf file where index_a is defined on the SH, but the index still shows up in the configuration UI. All instances have Splunk Enterprise 9.0.5.1 installed

Problem: I have a new Index that I defined after index_a. It is called index_b. index_b doesn't show up in the roles definition for some reason. 

What I tried: I looked up the name of index_a in the config files of the searchhead. The only appearance is in system/local/authorize.conf. I also compared the index definitions on the CM including file permission settings. The two configurations only differ in index name and app.

I also set up a test environment with one indexer and one searchhead. I created one index on the IX and it appeared on the SH role definition some time later without me configuring anything. Again I verified if the name of the index appears anyway in the SHs configs, but it didn't.

Question: Is there a new feature which makes the mock definitions in the SH obsolete? I am aware that I can solve this with this approach but it appears to be a nicer way to do it like it is done with index_a

Labels (3)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

have you try to 

splunk btool indexes list --debug

and look if it’s there and where/in which file it (index_a) has defined.

I suppose that there haven’t any index_b definitions.

r. Ismo

 

0 Karma

Brainizer
Engager

Yes as I said in my post I checked the config files and there are no definitions of both indexes on the SH. Only on the IX and on the IX they are identical except the name. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You said the You have looked those,  but You haven't said how. There are several ways to look those are some are better and some a not so good. Even btool shows only those configurations what are in disk, but not those which you have in running splunkd. But I expecting that this is still enough close to to reality. Of course you could restart splunkd or use e.g. rest api to get running versions.

Basically Splunk GUI (I expecting that you are talking about Users&roles settings?) cannot show anything what it haven' t on it's configurations locally!

You said that you haven't seen those on with 

splunk btool indexes list --debug|egrep '\[.*\]'

How about this

splunk btool authorize list --debug |egrep '(\[.*\]|Indexes)'|egrep -v capability

 Can it found the index_a, but not index_b?

0 Karma

Brainizer
Engager

I said "config files" followed by an actual config file path in my first post. But for clarification. I check it with `btool` and `show config`. I am also aware that the config files are not automatically active if I change them on disc. I do a restart (Not debug refresh) if I change anything on disk. I also keep track of the restarts. The SH is also not part of a SH cluster which could also be a source of confusion. I don't use any other remote managing agents which could change the files.

About the two commands you kindly provided. Neither `splunk btool` or `splunk show config` has the indexes definition for index_a or index_b on the SH. Only on the IX. Authorization is set only for index_a in etc/systems/local/authorization.conf for a specific group. Please take note that I cant just post the outputs of the commands because there is some confidential information within. 

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...