Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST endpoint (or CLI command) for reliable list of ALL clustered indexes

st4ple
Path Finder
‎11-25-2019 09:34 AM

We are trying to automate the process of adding new indexes to an Indexer Cluster. For this reason, we would like to get a complete list of all currently deployed indexes in the Indexer Cluster (to prevent user's from ordering indexes that already exist).

We are aware of the /cluster/master/indexes Endpoint => https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/RESTREF/RESTcluster#cluster.2Fmaster.2Findex..., however, this doesn't seem to return any empty indexes (see https://answers.splunk.com/answers/215818/clustered-indexes-not-showing-up-in-the-index-list.html and also the note here: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howtomonitoracluster#Indexes_tab)

We absolutely need to also see the empty indexes!

We are also aware of the /services/data/indexes Endpoint, but from our perspective it's not visible there where the indexes are located and if they are part of the Indexer Cluster (or, for instance, just defined locally on a Search Head).

Which endpoint (or, if need be, which CLI command) should we use to get all current clustered Indexes?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-25-2019 11:09 AM 
 splunk btool indexes list | grep \\[

On an indexer

Or you could pull the stanzas from the config endpoints.

Just remember for "| rest" to work across all servers, it will require port 8089 open to all servers from the searchhead AND the server has to be configured as a search peer. Usually the MC is setup with this in mind.

Reply

arjunpkishore5
Motivator
‎11-25-2019 10:45 AM

have you tried this ?

| rest /services/admin/indexes splunk_server=*

This is not available in the docs for some reason. I discovered this (a while back) when I visited https://myserver:8089/services/admin to see all the available endpoints for admin

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎12-06-2019 08:54 PM

Try https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTintrospect you are likely seeing an alias to the indexes endpoint

There is also indexes extended

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...