Getting Data In

Create new index without restarting Splunk indexer?

the_wolverine
Champion

I understand that in the year 2013 it may be possible to create a new index without having to restart the indexer? If so which version and how?

1 Solution

sowings
Splunk Employee
Splunk Employee

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/&lt;user>/&lt;app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

View solution in original post

theunf
Communicator

How about doing that on a Master cluster node so it´ll be deployed on indexers peer nodes ?
Any way of requesting this creation on the master-apps instead of local indexes ?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

That's an interesting question given that reloading config on the master node forces restarts on the slaves. I don't have any ideas on this one right now.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Another approach that I think I just got to work:

https://<hostname>:<splunkdport>/services/data/indexes/_reload

That allows you to stage your index in the appropriate app from the deployment server, but then implement without restart.

sowings
Splunk Employee
Splunk Employee

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/&lt;user>/&lt;app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

the_wolverine
Champion

Thanks! Just what I was looking for.

0 Karma

sowings
Splunk Employee
Splunk Employee

Available from 4.3.x forward. I'm not sure about the specifics of ".x".

0 Karma

Linegod
Path Finder

CLI Admin Commands

"reload index" - reloads index configuration, making immediately effective all "add/edit/enable/disable index" commands since last reload or Splunk restart

# /opt/splunk/bin/splunk reload index
# Index config reloaded.

Or

# /opt/splunk/bin/splunk reload index -name {index_name}

sherm77
Path Finder

I had to use this just a few minutes ago (v6.2.0) and it works without the -name parameter..

/opt/splunk/bin/splunk reload index {index_name}

Thanks, this is much easier than restarting the production indexer after hours.

0 Karma

ddrillic
Ultra Champion

If clustering is enabled, we can use /opt/splunk/bin/splunk apply cluster-bundle after adjusting indexes.conf.

0 Karma

splunker12er
Motivator

Thanks alot.

0 Karma

sloshburch
Splunk Employee
Splunk Employee
  1. I think the -name part of the command is not used (at least it won't work in 5.0.2 but works when it is removed)
  2. I have seen the same issue the_wolverine mentioned. I can reload my index config but it won't create the appropriate directories.
0 Karma

the_wolverine
Champion

I have heard that there is some update bug when using "reload index" which results in an incomplete reload of the actual indexes.conf.

0 Karma

grijhwani
Motivator

You can if you perform the task through the GUI.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...