Solved: What is the best practice when creating a custom i...

snorri · ‎03-13-2018

I have an indexer where I want to add index 'web'

Looking at this page: http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Setupmultipleindexes
It seems you can do this in a couple of ways:
1. Splunk Web
2. CLI
3. Edit indexes.conf

When using CLI (2), indexers.conf is created in $SPLUNK_HOME/etc/apps/search/local
When editing indexes.conf (3) it says to put it in $SPLUNK_HOME/etc/system/local

Why is this and which is the best practie?

tiagofbmm · ‎03-13-2018

Hi

The best practice is to never use system local. The reason is that when you put things there, any future changes require you to access the machine to change that manually because it is the directory with highest precedence.

If you put then in an app, you can always use other Splunk functionalities to control future changes (Deployments Server, Cluster master bundle distribution, search head cluster deployer)

Those give you a centralised and controller way to manage and deploy things to Splunk

View solution in original post

sloshburch · ‎03-13-2018

If you're new, I would stick to Splunk Web to keep things straightforward. When you get more advanced you'll start to explore the other options and use btool with --debug to identify where the config from Splunk Web landed.

In fact, you may find that the config gets created within the app folder for whatever app you were last viewing in Splunk web. When you're ready for it, you'll find this article on Configuration File Precedence to be great help!

snorri · ‎03-13-2018

Using Splunk Web is not an option and I have no problem using cli or editing the config file with vim. I am just wondering why Splunk docs says to edit /system/local/indexers.conf, but using the cli command does this in /app/search/local/indexers.conf

snorri · ‎03-15-2018

It does, thank you!

sloshburch · ‎03-15-2018

So, the search app is just the default namespace for the config to be created. If you run ./splunk help you'll see some details on it near the end of the output:

Syntax:

        [command] [object] [-parameter <value> | <value>]... [-uri][-auth]

      app        specify the app or namespace to run the command; for search, defaults to the Search app

So, for example:

$ splunk add index -app fun
Your session is invalid.  Please login.
Splunk username: burch
Password:
Application does not exist: fun

I believe the docs merely try to coach towards using system/local as a catch-all and trust that once the user is familiar with configuration file precedence they'll move the config wherever they want it to live.

Does that clarify?

tiagofbmm · ‎03-13-2018

Hi

The best practice is to never use system local. The reason is that when you put things there, any future changes require you to access the machine to change that manually because it is the directory with highest precedence.

If you put then in an app, you can always use other Splunk functionalities to control future changes (Deployments Server, Cluster master bundle distribution, search head cluster deployer)

Those give you a centralised and controller way to manage and deploy things to Splunk

snorri · ‎03-13-2018

Nice! Thank you.
Can you think of why when using option 3, Splunk docs tells you to place it in /system/local rather than /apps/search/local

tiagofbmm · ‎03-13-2018

Honestly I don't see a reason for that. Maybe there is some misleading info there. It surely is not a best practice.

tiagofbmm · ‎03-13-2018

If the answer was helpful, accept it for future reference to this

tiagofbmm · ‎03-14-2018

Please accept and upvote the answer

What is the best practice when creating a custom index in a indexer?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies