- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that in the year 2013 it may be possible to create a new index without having to restart the indexer? If so which version and how?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also do so via the REST API. You'll want something like curl:
curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/<user>/<app\_to\_save\_settings>/data/indexes -d name=<newindex>
Populated example:
curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest
Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.
http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist
This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about doing that on a Master cluster node so it´ll be deployed on indexers peer nodes ?
Any way of requesting this creation on the master-apps instead of local indexes ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's an interesting question given that reloading config on the master node forces restarts on the slaves. I don't have any ideas on this one right now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another approach that I think I just got to work:
https://<hostname>:<splunkdport>/services/data/indexes/_reload
That allows you to stage your index in the appropriate app from the deployment server, but then implement without restart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also do so via the REST API. You'll want something like curl:
curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/<user>/<app\_to\_save\_settings>/data/indexes -d name=<newindex>
Populated example:
curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest
Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.
http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist
This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Just what I was looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Available from 4.3.x forward. I'm not sure about the specifics of ".x".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"reload index" - reloads index configuration, making immediately effective all "add/edit/enable/disable index" commands since last reload or Splunk restart
# /opt/splunk/bin/splunk reload index
# Index config reloaded.
Or
# /opt/splunk/bin/splunk reload index -name {index_name}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had to use this just a few minutes ago (v6.2.0) and it works without the -name parameter..
/opt/splunk/bin/splunk reload index {index_name}
Thanks, this is much easier than restarting the production indexer after hours.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If clustering is enabled, we can use /opt/splunk/bin/splunk apply cluster-bundle after adjusting indexes.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks alot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- I think the -name part of the command is not used (at least it won't work in 5.0.2 but works when it is removed)
- I have seen the same issue the_wolverine mentioned. I can reload my index config but it won't create the appropriate directories.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have heard that there is some update bug when using "reload index" which results in an incomplete reload of the actual indexes.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can if you perform the task through the GUI.