Getting Data In

What is the best practice when creating a custom index in a indexer?

Path Finder

I have an indexer where I want to add index 'web'

Looking at this page: http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Setupmultipleindexes
It seems you can do this in a couple of ways:
1. Splunk Web
2. CLI
3. Edit indexes.conf

When using CLI (2), indexers.conf is created in $SPLUNK_HOME/etc/apps/search/local
When editing indexes.conf (3) it says to put it in $SPLUNK_HOME/etc/system/local

Why is this and which is the best practie?

1 Solution

Influencer

Hi

The best practice is to never use system local. The reason is that when you put things there, any future changes require you to access the machine to change that manually because it is the directory with highest precedence.

If you put then in an app, you can always use other Splunk functionalities to control future changes (Deployments Server, Cluster master bundle distribution, search head cluster deployer)

Those give you a centralised and controller way to manage and deploy things to Splunk

View solution in original post

Ultra Champion

If you're new, I would stick to Splunk Web to keep things straightforward. When you get more advanced you'll start to explore the other options and use btool with --debug to identify where the config from Splunk Web landed.

In fact, you may find that the config gets created within the app folder for whatever app you were last viewing in Splunk web. When you're ready for it, you'll find this article on Configuration File Precedence to be great help!

Path Finder

Using Splunk Web is not an option and I have no problem using cli or editing the config file with vim. I am just wondering why Splunk docs says to edit /system/local/indexers.conf, but using the cli command does this in /app/search/local/indexers.conf

0 Karma

Path Finder

It does, thank you!

0 Karma

Ultra Champion

So, the search app is just the default namespace for the config to be created. If you run ./splunk help you'll see some details on it near the end of the output:

Syntax:

        [command] [object] [-parameter <value> | <value>]... [-uri][-auth]

      app        specify the app or namespace to run the command; for search, defaults to the Search app

So, for example:

$ splunk add index -app fun
Your session is invalid.  Please login.
Splunk username: burch
Password:
Application does not exist: fun

I believe the docs merely try to coach towards using system/local as a catch-all and trust that once the user is familiar with configuration file precedence they'll move the config wherever they want it to live.

Does that clarify?

0 Karma

Influencer

Hi

The best practice is to never use system local. The reason is that when you put things there, any future changes require you to access the machine to change that manually because it is the directory with highest precedence.

If you put then in an app, you can always use other Splunk functionalities to control future changes (Deployments Server, Cluster master bundle distribution, search head cluster deployer)

Those give you a centralised and controller way to manage and deploy things to Splunk

View solution in original post

Path Finder

Nice! Thank you.
Can you think of why when using option 3, Splunk docs tells you to place it in /system/local rather than /apps/search/local

0 Karma

Influencer

Honestly I don't see a reason for that. Maybe there is some misleading info there. It surely is not a best practice.

0 Karma

Influencer

If the answer was helpful, accept it for future reference to this

0 Karma

Influencer

Please accept and upvote the answer

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!