Getting Data In

Create new index without restarting Splunk indexer?

the_wolverine
Champion

I understand that in the year 2013 it may be possible to create a new index without having to restart the indexer? If so which version and how?

1 Solution

sowings
Splunk Employee
Splunk Employee

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/&lt;user>/&lt;app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

View solution in original post

theunf
Communicator

How about doing that on a Master cluster node so it´ll be deployed on indexers peer nodes ?
Any way of requesting this creation on the master-apps instead of local indexes ?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

That's an interesting question given that reloading config on the master node forces restarts on the slaves. I don't have any ideas on this one right now.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Another approach that I think I just got to work:

https://<hostname>:<splunkdport>/services/data/indexes/_reload

That allows you to stage your index in the appropriate app from the deployment server, but then implement without restart.

sowings
Splunk Employee
Splunk Employee

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/&lt;user>/&lt;app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

the_wolverine
Champion

Thanks! Just what I was looking for.

0 Karma

sowings
Splunk Employee
Splunk Employee

Available from 4.3.x forward. I'm not sure about the specifics of ".x".

0 Karma

Linegod
Path Finder

CLI Admin Commands

"reload index" - reloads index configuration, making immediately effective all "add/edit/enable/disable index" commands since last reload or Splunk restart

# /opt/splunk/bin/splunk reload index
# Index config reloaded.

Or

# /opt/splunk/bin/splunk reload index -name {index_name}

sherm77
Path Finder

I had to use this just a few minutes ago (v6.2.0) and it works without the -name parameter..

/opt/splunk/bin/splunk reload index {index_name}

Thanks, this is much easier than restarting the production indexer after hours.

0 Karma

ddrillic
Ultra Champion

If clustering is enabled, we can use /opt/splunk/bin/splunk apply cluster-bundle after adjusting indexes.conf.

0 Karma

splunker12er
Motivator

Thanks alot.

0 Karma

sloshburch
Splunk Employee
Splunk Employee
  1. I think the -name part of the command is not used (at least it won't work in 5.0.2 but works when it is removed)
  2. I have seen the same issue the_wolverine mentioned. I can reload my index config but it won't create the appropriate directories.
0 Karma

the_wolverine
Champion

I have heard that there is some update bug when using "reload index" which results in an incomplete reload of the actual indexes.conf.

0 Karma

grijhwani
Motivator

You can if you perform the task through the GUI.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...