Getting Data In

How to show a deployed index in Splunk Web on a search head to add data?

YoungDaniel
Path Finder

Hi,

We are using a Splunk Enterprise installation that uses the following:
1 search head, also acts as a deployment server and license manager.
1 indexer, with no gui.

I have created a deployment app on the Search head called test-indexes. It contains a /test-indexes/default/indexes.conf
In indexes.conf I have created an index called [test] with the default bucket paths, maxdatasize and maxtotaldatasize attributes.

The index has been deployed on the indexer, and is visible in opt/splunk/var/lib/splunk directory. both in test.dat and test directory.

My issue is that even though the index is deployed, there is no way for me to be able to add data to the index from the search head.
It does not exist in the settings->indexes view in Splunk Web (search head).

How can I resolve this issue?

// Daniel

0 Karma
1 Solution

renjith_nair
Legend

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to test index on indexer, you have to either use indexer's web or configure forwarder to forward data.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to test index on indexer, you have to either use indexer's web or configure forwarder to forward data.

---
What goes around comes around. If it helps, hit it with Karma 🙂

YoungDaniel
Path Finder

Ok, but running the | dbinspect index=test command didn't render any results even though bucket paths are declared. Is that because there is no data in the index?

0 Karma

renjith_nair
Legend

Easiest way to find whether the index is created is ,
Click Settings > Access Controls edit or add a role and check in "Indexes searched by default" section to see if the index is listed.
or
run
|tstats count where index=* and see if your index is listed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...