- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Why is the search head unable to find a new in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
My current setup consists of
1 x Search Head
3 x Indexers
1 x Cluster Master
1 x DS
1 x Test Forwarder
I created a new index via an indexes.conf file in the cluster master master_apps/_cluster/local/ directory
Pushed that bundle to the indexers and saw the new indexes get created
Forwarded an app on the test instance to the new index and saw the folder get populated with data under the Indexers:$SPLUNK_DB/{test_index}
Now when I run a search in my search head for the new index, it doesn't appear. Nor does it appear under the indexes menu.
Searching only for the host or the index does not return anything.
I can search for the default indexes such as "_internal" and then my test instance will show up.
Am I missing a setting somewhere to complete the setup for the search head to search through all indexes?
They are all currently connected to a license master with a valid license
Thanks for any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out. Needed to include the index in the search as well when searching for the host. Also figured out that my default index search needed to include the index by default
Thanks folks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out. Needed to include the index in the search as well when searching for the host. Also figured out that my default index search needed to include the index by default
Thanks folks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@willso777 If your problem is resolved, please accept the answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you activate distributed search? You add search peers, or indexers, to a Splunk Enterprise instance that you designate as a search head. You do this by specifying each search peer manually (settings >> Distributed search >> Search peers).
More info here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your new index will only show in the "index menu" if you put the indexes.conf on your SH and you have permission to access the index.
You should be abel too find you index with index=* if you have the permission to access is
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Verify the time range you are searching. Search for a larger time range.
- | rest /services/data/indexes | search title="test_index" - see if this gives you results - splunk_server field will tell you where the results are coming from
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
