I have several indexers checking into a deployment server and as such wanted to use a deployed app to manage indexes. In my environment, we have many indexes which results in using the deployment server to manage them a good solution.
The problem I'm having is that the indexes are getting created on the indexer, and it seems like it would be working just fine. However it's not, when sending events I get an error that says that the index doesn't exist or is disabled.
Here's the indexes.conf that the app pushes (right now it contains nothing else):
homePath = volume:hot1/index1/db
coldPath = volume:cold1/index1/colddb
thawedPath = $SPLUNK_DB/index1/thaweddb
The app is called:
SplunkIndexer-Linux/
I tried adding an export=system to the top of the apps indexes.conf and that didn't have an impact.
I've got to be missing something simple here... anyone have any ideas?
What's your volume definition for hot1 and cold1?
Check the path for hot1 and cold1 in your volume settings in indexes.conf
Make sure that the path exists in all the indexers you are deploying the app to and that they have the volume definition as well.
Volumes are defined and working within the SPLUNK_HOME/etc/system/local/indexes.conf.
Of which server? All indexers?
Yup, only having a problem with the index defined in this particular app being able to recieve data.
Where are the volume definitions? You are using "hot1" and "cold1"; these must be defined. I didn't think that they had to be defined in the same indexes.conf, but perhaps they do?
I don't think that export=system has any effect on indexes.conf
"Global visibility" only applies to search-time knowledge objects. Index time settings, like inputs.conf and indexes.conf and many other .conf files, have no "visibility;" it isn't relevant for these configurations.
Volumes are defined and working within the SPLUNK_HOME/etc/system/local/indexes.conf.
I don't think it's a volumes issue... I seem to be thinking it's some sort of issue around setting some sort of permission on the index to be permitted to receive data... which doesn't seem to be a thing.
They don't. Volume settings can be defined in other indexes.conf
That way you can have one indexes.conf with volume settings for IDXs and one for SHs and then use one indexes.conf with the indexes definition on both.