Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REST endpoint (or CLI command) for reliable list of ALL clustered indexes

st4ple
Path Finder
‎11-25-2019 09:34 AM

We are trying to automate the process of adding new indexes to an Indexer Cluster. For this reason, we would like to get a complete list of all currently deployed indexes in the Indexer Cluster (to prevent user's from ordering indexes that already exist).

We are aware of the /cluster/master/indexes Endpoint => https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/RESTREF/RESTcluster#cluster.2Fmaster.2Findex..., however, this doesn't seem to return any empty indexes (see https://answers.splunk.com/answers/215818/clustered-indexes-not-showing-up-in-the-index-list.html and also the note here: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howtomonitoracluster#Indexes_tab)

We absolutely need to also see the empty indexes!

We are also aware of the /services/data/indexes Endpoint, but from our perspective it's not visible there where the indexes are located and if they are part of the Indexer Cluster (or, for instance, just defined locally on a Search Head).

Which endpoint (or, if need be, which CLI command) should we use to get all current clustered Indexes?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-25-2019 11:09 AM 
 splunk btool indexes list | grep \\[

On an indexer

Or you could pull the stanzas from the config endpoints.

Just remember for "| rest" to work across all servers, it will require port 8089 open to all servers from the searchhead AND the server has to be configured as a search peer. Usually the MC is setup with this in mind.

Reply

arjunpkishore5
Motivator
‎11-25-2019 10:45 AM

have you tried this ?

| rest /services/admin/indexes splunk_server=*

This is not available in the docs for some reason. I discovered this (a while back) when I visited https://myserver:8089/services/admin to see all the available endpoints for admin

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎12-06-2019 08:54 PM

Try https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTintrospect you are likely seeing an alias to the indexes endpoint

There is also indexes extended

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...