Getting Data In

What is the best practice when creating a custom index in a indexer?

snorri
Path Finder

I have an indexer where I want to add index 'web'

Looking at this page: http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Setupmultipleindexes
It seems you can do this in a couple of ways:
1. Splunk Web
2. CLI
3. Edit indexes.conf

When using CLI (2), indexers.conf is created in $SPLUNK_HOME/etc/apps/search/local
When editing indexes.conf (3) it says to put it in $SPLUNK_HOME/etc/system/local

Why is this and which is the best practie?

1 Solution

tiagofbmm
Influencer

Hi

The best practice is to never use system local. The reason is that when you put things there, any future changes require you to access the machine to change that manually because it is the directory with highest precedence.

If you put then in an app, you can always use other Splunk functionalities to control future changes (Deployments Server, Cluster master bundle distribution, search head cluster deployer)

Those give you a centralised and controller way to manage and deploy things to Splunk

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

If you're new, I would stick to Splunk Web to keep things straightforward. When you get more advanced you'll start to explore the other options and use btool with --debug to identify where the config from Splunk Web landed.

In fact, you may find that the config gets created within the app folder for whatever app you were last viewing in Splunk web. When you're ready for it, you'll find this article on Configuration File Precedence to be great help!

snorri
Path Finder

Using Splunk Web is not an option and I have no problem using cli or editing the config file with vim. I am just wondering why Splunk docs says to edit /system/local/indexers.conf, but using the cli command does this in /app/search/local/indexers.conf

0 Karma

snorri
Path Finder

It does, thank you!

0 Karma

sloshburch
Splunk Employee
Splunk Employee

So, the search app is just the default namespace for the config to be created. If you run ./splunk help you'll see some details on it near the end of the output:

Syntax:

        [command] [object] [-parameter <value> | <value>]... [-uri][-auth]

      app        specify the app or namespace to run the command; for search, defaults to the Search app

So, for example:

$ splunk add index -app fun
Your session is invalid.  Please login.
Splunk username: burch
Password:
Application does not exist: fun

I believe the docs merely try to coach towards using system/local as a catch-all and trust that once the user is familiar with configuration file precedence they'll move the config wherever they want it to live.

Does that clarify?

0 Karma

tiagofbmm
Influencer

Hi

The best practice is to never use system local. The reason is that when you put things there, any future changes require you to access the machine to change that manually because it is the directory with highest precedence.

If you put then in an app, you can always use other Splunk functionalities to control future changes (Deployments Server, Cluster master bundle distribution, search head cluster deployer)

Those give you a centralised and controller way to manage and deploy things to Splunk

snorri
Path Finder

Nice! Thank you.
Can you think of why when using option 3, Splunk docs tells you to place it in /system/local rather than /apps/search/local

0 Karma

tiagofbmm
Influencer

Honestly I don't see a reason for that. Maybe there is some misleading info there. It surely is not a best practice.

0 Karma

tiagofbmm
Influencer

If the answer was helpful, accept it for future reference to this

0 Karma

tiagofbmm
Influencer

Please accept and upvote the answer

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...