Getting Data In

REST servicesNS reload index conf

brdr
Contributor

We need the ability , from CLI (Linux) to reload indexes.conf. I run the command below and it succeeds.

curl -X POST -k -u admin:pwd https://localhost:8089/servicesNS/-/-/admin/indexes/_reload

We push changes (like adding a new index) to indexes.conf of the splunk instance. I do not want to restart splunk to see the new index showing up in the GUI. After the above is executed, i log back into Splunk, go to Settings-Indexes and do NOT see the new index.

Any idea why i do not see it? If i restart splunk i wil see it in the GUI.

Thx

0 Karma

arjunpkishore5
Motivator

have you tried using the cli ?

$SPLUNK_HOME/bin/splunk reload index

Full cli reference here - https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/CLIadmincommands

0 Karma

brdr
Contributor

Thanks for feedback. That reload command was one of the things i tried. it doesn't work. i get this in the log: It just doesn't see the new index in indexes.conf.

2-14-2020 20:43:15.256 +0000 INFO IndexProcessor - reloading index config: start
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - request state change from=RUN to=RECONFIGURING02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Initializing: readonly=false reloading=true
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Got a list of count=0 added, modified, or removed indexes02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Reloading index config: shutdown subordinate threads, now restarting
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - Initializing indexes took usec=3 reloading=true indexes_initialized=0
02-14-2020 20:43:15.256 +0000 INFO IndexProcessor - request state change from=RECONFIGURING to=RUN
02-14-2020 20:43:15.257 +0000 INFO IndexProcessor - reloading index config: end
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - reloading index config: start
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - request state change from=RUN to=RECONFIGURING
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Initializing: readonly=false reloading=true
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Got a list of count=0 added, modified, or removed indexes
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Reloading index config: shutdown subordinate threads, now restarting
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - Initializing indexes took usec=2 reloading=true indexes_initialized=0
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - request state change from=RECONFIGURING to=RUN
02-14-2020 20:43:15.382 +0000 INFO IndexProcessor - reloading index config: end

0 Karma

brdr
Contributor

So, i guess the question is, what indexes.conf is the reload looking at, as it is clearly not looking at our local indexes.conf which is in a separate custom app etc/apps/prod_indexes/local/indexes.conf.

0 Karma

arjunpkishore5
Motivator

can you run btool to check if the new index is visible ?

0 Karma

brdr
Contributor

it is visible via btool as soon as i add an index to our indexes.conf

0 Karma

woodcock
Esteemed Legend

I think that it should work but the way that I would deploy this is:
Update indexes.conf on each indexer.
Hit the REST endpoint on eachIndexer.
Update indexes.conf on Search Head.
Hit the REST endpoint on the Search Head.
I would expect that to work.
If not, try the full debug/refresh endpoint.

0 Karma

brdr
Contributor

No dice. The commands work fine, i can see entries in the splunkd.log that the commands are hitting the endpoint but, when i go into the GUI -> Settings -> Indexes the new index is NOT there.

0 Karma

woodcock
Esteemed Legend

Time to open another support case.

0 Karma

brdr
Contributor

Note that I am using the admin user.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If I recall right you could not see the index before it has any data.

R. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...