Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show a deployed index in Splunk Web on a search head to add data?

YoungDaniel
Path Finder
‎12-10-2015 04:15 AM

Hi,

We are using a Splunk Enterprise installation that uses the following:
1 search head, also acts as a deployment server and license manager.
1 indexer, with no gui.

I have created a deployment app on the Search head called test-indexes. It contains a /test-indexes/default/indexes.conf
In indexes.conf I have created an index called [test] with the default bucket paths, maxdatasize and maxtotaldatasize attributes.

The index has been deployed on the indexer, and is visible in opt/splunk/var/lib/splunk directory. both in test.dat and test directory.

My issue is that even though the index is deployed, there is no way for me to be able to add data to the index from the search head.
It does not exist in the settings->indexes view in Splunk Web (search head).

How can I resolve this issue?

// Daniel

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-10-2015 04:55 AM

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to test index on indexer, you have to either use indexer's web or configure forwarder to forward data.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-10-2015 04:55 AM

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to test index on indexer, you have to either use indexer's web or configure forwarder to forward data.

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

YoungDaniel
Path Finder
‎12-10-2015 04:59 AM

Ok, but running the | dbinspect index=test command didn't render any results even though bucket paths are declared. Is that because there is no data in the index?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-10-2015 05:18 AM

Easiest way to find whether the index is created is ,
Click Settings > Access Controls edit or add a role and check in "Indexes searched by default" section to see if the index is listed.
or
run
|tstats count where index=* and see if your index is listed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...