Getting Data In

Create new index without restarting Splunk indexer?

Champion

I understand that in the year 2013 it may be possible to create a new index without having to restart the indexer? If so which version and how?

1 Solution

Splunk Employee
Splunk Employee

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/&lt;user>/&lt;app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

View solution in original post

Path Finder

How about doing that on a Master cluster node so it´ll be deployed on indexers peer nodes ?
Any way of requesting this creation on the master-apps instead of local indexes ?

0 Karma

Ultra Champion

That's an interesting question given that reloading config on the master node forces restarts on the slaves. I don't have any ideas on this one right now.

0 Karma

Ultra Champion

Another approach that I think I just got to work:

https://<hostname>:<splunkdport>/services/data/indexes/_reload

That allows you to stage your index in the appropriate app from the deployment server, but then implement without restart.

Splunk Employee
Splunk Employee

You can also do so via the REST API. You'll want something like curl:

curl -k -u <USER>:<PASS> https://indexer:port/servicesNS/&lt;user>/&lt;app\_to\_save\_settings>/data/indexes -d name=<newindex>

Populated example:

curl -k -u admin:changeme https://127.0.0.1:8089/servicesNS/admin/search/data/indexes -d name=mytest

Check the REST API Endpoint docs; you can adjust specific parameters of the index definition at creation time as well, with additional -d options.

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTlist

This has the additional benefit of being able to be scripted remotely, looping over all of the indexers in your environment.

View solution in original post

Champion

Thanks! Just what I was looking for.

0 Karma

Splunk Employee
Splunk Employee

Available from 4.3.x forward. I'm not sure about the specifics of ".x".

0 Karma

Path Finder

CLI Admin Commands

"reload index" - reloads index configuration, making immediately effective all "add/edit/enable/disable index" commands since last reload or Splunk restart

# /opt/splunk/bin/splunk reload index
# Index config reloaded.

Or

# /opt/splunk/bin/splunk reload index -name {index_name}

Path Finder

I had to use this just a few minutes ago (v6.2.0) and it works without the -name parameter..

/opt/splunk/bin/splunk reload index {index_name}

Thanks, this is much easier than restarting the production indexer after hours.

0 Karma

Ultra Champion

If clustering is enabled, we can use /opt/splunk/bin/splunk apply cluster-bundle after adjusting indexes.conf.

0 Karma

Motivator

Thanks alot.

0 Karma

Ultra Champion
  1. I think the -name part of the command is not used (at least it won't work in 5.0.2 but works when it is removed)
  2. I have seen the same issue the_wolverine mentioned. I can reload my index config but it won't create the appropriate directories.
0 Karma

Champion

I have heard that there is some update bug when using "reload index" which results in an incomplete reload of the actual indexes.conf.

0 Karma

Motivator

You can if you perform the task through the GUI.