Getting Data In

How to edit indexes.conf to resolve an error that says the index doesn't exist or is disabled when sending events?

jwelters
Explorer

I have several indexers checking into a deployment server and as such wanted to use a deployed app to manage indexes. In my environment, we have many indexes which results in using the deployment server to manage them a good solution.

The problem I'm having is that the indexes are getting created on the indexer, and it seems like it would be working just fine. However it's not, when sending events I get an error that says that the index doesn't exist or is disabled.

Here's the indexes.conf that the app pushes (right now it contains nothing else):
homePath = volume:hot1/index1/db
coldPath = volume:cold1/index1/colddb
thawedPath = $SPLUNK_DB/index1/thaweddb

The app is called:
SplunkIndexer-Linux/

I tried adding an export=system to the top of the apps indexes.conf and that didn't have an impact.

I've got to be missing something simple here... anyone have any ideas?

0 Karma

diogofgm
SplunkTrust
SplunkTrust

What's your volume definition for hot1 and cold1?
Check the path for hot1 and cold1 in your volume settings in indexes.conf
Make sure that the path exists in all the indexers you are deploying the app to and that they have the volume definition as well.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

jwelters
Explorer

Volumes are defined and working within the SPLUNK_HOME/etc/system/local/indexes.conf.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Of which server? All indexers?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

jwelters
Explorer

Yup, only having a problem with the index defined in this particular app being able to recieve data.

0 Karma

lguinn2
Legend

Where are the volume definitions? You are using "hot1" and "cold1"; these must be defined. I didn't think that they had to be defined in the same indexes.conf, but perhaps they do?

I don't think that export=system has any effect on indexes.conf
"Global visibility" only applies to search-time knowledge objects. Index time settings, like inputs.conf and indexes.conf and many other .conf files, have no "visibility;" it isn't relevant for these configurations.

0 Karma

jwelters
Explorer

Volumes are defined and working within the SPLUNK_HOME/etc/system/local/indexes.conf.

I don't think it's a volumes issue... I seem to be thinking it's some sort of issue around setting some sort of permission on the index to be permitted to receive data... which doesn't seem to be a thing.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

They don't. Volume settings can be defined in other indexes.conf
That way you can have one indexes.conf with volume settings for IDXs and one for SHs and then use one indexes.conf with the indexes definition on both.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...