Deployment Architecture

Why is the search head unable to find a new index in cluster?

Engager

Hi all,

My current setup consists of

1 x Search Head
3 x Indexers
1 x Cluster Master
1 x DS
1 x Test Forwarder

I created a new index via an indexes.conf file in the cluster master masterapps/cluster/local/ directory
Pushed that bundle to the indexers and saw the new indexes get created
Forwarded an app on the test instance to the new index and saw the folder get populated with data under the Indexers:$SPLUNKDB/{testindex}
Now when I run a search in my search head for the new index, it doesn't appear. Nor does it appear under the indexes menu.
Searching only for the host or the index does not return anything.
I can search for the default indexes such as "_internal" and then my test instance will show up.

Am I missing a setting somewhere to complete the setup for the search head to search through all indexes?

They are all currently connected to a license master with a valid license

Thanks for any help

0 Karma
1 Solution

Engager

Figured it out. Needed to include the index in the search as well when searching for the host. Also figured out that my default index search needed to include the index by default

Thanks folks

View solution in original post

0 Karma

Engager

Figured it out. Needed to include the index in the search as well when searching for the host. Also figured out that my default index search needed to include the index by default

Thanks folks

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@willso777 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

Did you activate distributed search? You add search peers, or indexers, to a Splunk Enterprise instance that you designate as a search head. You do this by specifying each search peer manually (settings >> Distributed search >> Search peers).

More info here.

0 Karma

Contributor

Your new index will only show in the "index menu" if you put the indexes.conf on your SH and you have permission to access the index.

You should be abel too find you index with index=* if you have the permission to access is

0 Karma

Influencer
  1. Verify the time range you are searching. Search for a larger time range.
  2. | rest /services/data/indexes | search title="testindex" - see if this gives you results - splunkserver field will tell you where the results are coming from
0 Karma