Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk app data index issue

yasit
Explorer
‎09-21-2023 06:11 AM
my app contains the index.conf which declares the index that is installed on the heavy forwarder and it is not installed on the indexer. The problem is that data does not land on the indexer
 
 
 
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Communicator
‎09-21-2023 06:41 AM

https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setupmultipleindexes

 

You don't have to add your app to the indexers but you must define your index on the indexers.  A stand alone instance can define via GUI management, however if you have an indexing cluster you must use the CLI to edit an indexes.conf file which is pushed in the CM bundle to the IDX tier.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dural_yyz
Communicator
‎09-21-2023 06:30 AM

Agreed - you need to have the index defined on the indexers.  Since the HF cooks the data when it comes across you need to have matching configuration at the receiving side.  Failure to do this will mean your data will route to the last chance index.

On the indexer check btool config for indexes.conf

[default]
lastChanceIndex = <index name>
* An index that receives events that are otherwise not associated
  with a valid index.
* If you do not specify a valid index with this setting, such events are
  dropped entirely.
* Routes the following kinds of events to the specified index:
  * events with a non-existent index specified at an input layer, like an
    invalid "index" setting in inputs.conf
  * events with a non-existent index computed at index-time, like an invalid
    _MetaData:Index value set from a "FORMAT" setting in transforms.conf
* You must set 'lastChanceIndex' to an existing, enabled index.
  Splunk software cannot start otherwise.
* If set to "default", then the default index specified by the
  'defaultDatabase' setting is used as a last chance index.
* Default: empty string

 

0 Karma
Reply
Solved! Jump to solution

yasit
Explorer
‎09-21-2023 06:37 AM

@dural_yyz Thanks for the insight,
I've declared the index in my app's indexes.conf which is installed on the HF which essentially is being populated by scripted input. 
But is there a way around where I don't have to install my app on the indexers? And also can you please provide the reference where it mentions that I have to install my app in Indexer?

0 Karma
Reply
Solved! Jump to solution
Solution

dural_yyz
Communicator
‎09-21-2023 06:41 AM

https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setupmultipleindexes

 

You don't have to add your app to the indexers but you must define your index on the indexers.  A stand alone instance can define via GUI management, however if you have an indexing cluster you must use the CLI to edit an indexes.conf file which is pushed in the CM bundle to the IDX tier.

0 Karma
Reply
Solved! Jump to solution

yasit
Explorer
‎09-21-2023 06:29 AM

thanks @gcusello 

what seems to be the issue? my understanding was that by default if Splunk receives data for an index that doesn't exist, it will attempt to create the index dynamically. 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2023 06:33 AM

Hi @yasit,

it isn't correct: if you are trying to send logs to a not existing index, you have a message (someting like this: "unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:System"), but the index isn't automatically created.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-21-2023 06:23 AM

Hi @yasit,

you have two choices:

  • install the app also on Indexers (I don't hint),
  • manually create the index on the Indexer.

usually this is described in the instructions, which is the app?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...