Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Was there a change in Splunk 6.1.5 with how an indexer reads indexes.conf compared to previous versions?

cevyn
Explorer
‎02-25-2015 07:59 AM

In the process of migrating to an indexes app instead of fixed /opt/splunk/etc/system/local/indexes.conf, I did a search against the indexer.

As soon as I renamed indexes.conf prior to restart (and picking up indexes.conf elsewhere in directory structure -prior to download of app), a search against that indexer immediately reported - no data ( for any window of time).
As soon as I renamed it back - data became available again.

It appears that forwarders continued to send data to the indexer the whole time.

Is there shift in how and when Splunk reads these config files? Indexes.conf in particular.
That was not how I remember it working on older versions.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎02-27-2015 02:29 AM

I'm not aware of any difference, but the best way to diagnose if you have different configuration when you change your setup is to use btool to give a before and after and if there is a difference you can run with debug so you can see where each configuration item is coming from. Splunk doesn't need to be running for this, so you can make changes and keep doing it until everything matches up.

./bin/splunk btool indexes list 
./bin/splunk btool indexes list --debug

I like to run it into a vim buffer like so:

./bin/splunk btool indexes list --debug | vim -

The dash makes vim read stdin into a new buffer.
Another alternative is to diff it

./bin/splunk btool indexes list > /tmp/indexes.old 
mv ... # make your changes
./bin/splunk btool indexes list > /tmp/indexes.new
diff -u /tmp/indexes.{old,new} | less
0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...