Getting Data In

How to show a deployed index in Splunk Web on a search head to add data?

YoungDaniel
Path Finder

Hi,

We are using a Splunk Enterprise installation that uses the following:
1 search head, also acts as a deployment server and license manager.
1 indexer, with no gui.

I have created a deployment app on the Search head called test-indexes. It contains a /test-indexes/default/indexes.conf
In indexes.conf I have created an index called [test] with the default bucket paths, maxdatasize and maxtotaldatasize attributes.

The index has been deployed on the indexer, and is visible in opt/splunk/var/lib/splunk directory. both in test.dat and test directory.

My issue is that even though the index is deployed, there is no way for me to be able to add data to the index from the search head.
It does not exist in the settings->indexes view in Splunk Web (search head).

How can I resolve this issue?

// Daniel

0 Karma
1 Solution

renjith_nair
Legend

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to test index on indexer, you have to either use indexer's web or configure forwarder to forward data.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to test index on indexer, you have to either use indexer's web or configure forwarder to forward data.

---
What goes around comes around. If it helps, hit it with Karma 🙂

YoungDaniel
Path Finder

Ok, but running the | dbinspect index=test command didn't render any results even though bucket paths are declared. Is that because there is no data in the index?

0 Karma

renjith_nair
Legend

Easiest way to find whether the index is created is ,
Click Settings > Access Controls edit or add a role and check in "Indexes searched by default" section to see if the index is listed.
or
run
|tstats count where index=* and see if your index is listed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...