Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the search head unable to find a new index in cluster?

willso777
Engager
‎08-14-2018 04:29 PM

Hi all,

My current setup consists of

1 x Search Head
3 x Indexers
1 x Cluster Master
1 x DS
1 x Test Forwarder

I created a new index via an indexes.conf file in the cluster master master_apps/_cluster/local/ directory
Pushed that bundle to the indexers and saw the new indexes get created
Forwarded an app on the test instance to the new index and saw the folder get populated with data under the Indexers:$SPLUNK_DB/{test_index}
Now when I run a search in my search head for the new index, it doesn't appear. Nor does it appear under the indexes menu.
Searching only for the host or the index does not return anything.
I can search for the default indexes such as "_internal" and then my test instance will show up.

Am I missing a setting somewhere to complete the setup for the search head to search through all indexes?

They are all currently connected to a license master with a valid license

Thanks for any help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

willso777
Engager
‎08-15-2018 10:40 PM

Figured it out. Needed to include the index in the search as well when searching for the host. Also figured out that my default index search needed to include the index by default

Thanks folks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

willso777
Engager
‎08-15-2018 10:40 PM

Figured it out. Needed to include the index in the search as well when searching for the host. Also figured out that my default index search needed to include the index by default

Thanks folks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2018 03:14 AM

@willso777 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-15-2018 06:30 AM

Did you activate distributed search? You add search peers, or indexers, to a Splunk Enterprise instance that you designate as a search head. You do this by specifying each search peer manually (settings >> Distributed search >> Search peers).

More info here.

0 Karma
Reply
Solved! Jump to solution

teunlaan
Contributor
‎08-15-2018 05:20 AM

Your new index will only show in the "index menu" if you put the indexes.conf on your SH and you have permission to access the index.

You should be abel too find you index with index=* if you have the permission to access is

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎08-14-2018 08:19 PM
  1. Verify the time range you are searching. Search for a larger time range.
  2. | rest /services/data/indexes | search title="test_index" - see if this gives you results - splunk_server field will tell you where the results are coming from
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...