/opt/splunk/bin/splunk reload index {index_name}

the_wolverine · ‎07-22-2013

I understand that in the year 2013 it may be possible to create a new index without having to restart the indexer? If so which version and how?

sowings · ‎07-23-2013

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/<user>/<app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

View solution in original post

theunf · ‎08-12-2014

How about doing that on a Master cluster node so it´ll be deployed on indexers peer nodes ?
Any way of requesting this creation on the master-apps instead of local indexes ?

sloshburch · ‎08-15-2014

That's an interesting question given that reloading config on the master node forces restarts on the slaves. I don't have any ideas on this one right now.

sloshburch · ‎01-02-2014

Another approach that I think I just got to work:

https://<hostname>:<splunkdport>/services/data/indexes/_reload

That allows you to stage your index in the appropriate app from the deployment server, but then implement without restart.

sowings · ‎07-23-2013

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/<user>/<app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

the_wolverine · ‎07-23-2013

Thanks! Just what I was looking for.

sowings · ‎07-23-2013

Available from 4.3.x forward. I'm not sure about the specifics of ".x".

Linegod · ‎07-23-2013

CLI Admin Commands

"reload index" - reloads index configuration, making immediately effective all "add/edit/enable/disable index" commands since last reload or Splunk restart

# /opt/splunk/bin/splunk reload index
# Index config reloaded.

Or

# /opt/splunk/bin/splunk reload index -name {index_name}

sherm77 · ‎03-28-2016

I had to use this just a few minutes ago (v6.2.0) and it works without the -name parameter..

/opt/splunk/bin/splunk reload index {index_name}

Thanks, this is much easier than restarting the production indexer after hours.

ddrillic · ‎03-28-2016

If clustering is enabled, we can use /opt/splunk/bin/splunk apply cluster-bundle after adjusting indexes.conf.

splunker12er · ‎07-17-2014

Thanks alot.

sloshburch · ‎01-02-2014

I think the -name part of the command is not used (at least it won't work in 5.0.2 but works when it is removed)
I have seen the same issue the_wolverine mentioned. I can reload my index config but it won't create the appropriate directories.

the_wolverine · ‎08-05-2013

I have heard that there is some update bug when using "reload index" which results in an incomplete reload of the actual indexes.conf.

grijhwani · ‎07-22-2013

You can if you perform the task through the GUI.

Create new index without restarting Splunk indexer?

/opt/splunk/bin/splunk reload index {index_name}

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!