Solved: How to create a new index(not peer index node) fro...

Leo_Yong · ‎12-19-2018

The environment is working well, since we have already had some indexes created there, and running as expected. I just want to add another new index with new data.

Here is what I did:
1. create a new index(named: newindex) from search head web page. settings-->Indexes--> New Index
2. from heavy forwarder server, ..../etc/apps/search/local/inputs.conf, added:
[monitor://D:\filepath\filename*]
disable=0
host=a_new_hostname
index=newindex
sourcetype=a_old_sourcetype

copy the log files to path: D:\filepath\
restart splunk on heavy forwarder

After these steps, I could not get any data from search query(like using: index=newindex). By the way, I even couldn't find the index from indexer server web page(settings-->indexes).

Did I miss something? Please advise. Thanks.

damann · ‎12-19-2018

You have to create a new Index on the machine your forwarders send the data to.

Try to add a new index by using the WebUI from your Indexer(s) or by configuring indexes.conf on all your indexer.

I hope it works for you!

View solution in original post

damann · ‎12-19-2018

You have to create a new Index on the machine your forwarders send the data to.

Try to add a new index by using the WebUI from your Indexer(s) or by configuring indexes.conf on all your indexer.

I hope it works for you!

Leo_Yong · ‎12-20-2018

Thanks for your help. it's working now.

How to create a new index(not peer index node) from distributed environment?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation