Is it possible to alias an index name?

max_szulc · ‎02-04-2016

Is it possible in Splunk Enterprise to alias index name (for purposes of an app, so that one doesn't have to modify the app every update)?

fdi01 · ‎02-05-2016

You can tag your indexe with your tag_name, and view them with tag::index.

esix_splunk · ‎02-05-2016

There is no way to do this. Indexes are named as indexes.

That being said, you could create a macro for the apps, at the global level, and have all your app's start there searches with that.. e.g. A macro named "searchIndexes", exported globally from the search app. In this macro, define your indexes :

  (index=IndexA OR index=IndexB or index=IndexC)

Start all of your searches with that macro. Then you just have the one central macro to modify.

renjith_nair · ‎02-04-2016

It isn't clear where you want to use that ? You can create eventtype ortag` for index

Happy Splunking!

max_szulc · ‎02-04-2016

An app searches an index that has a set name (specified in app). Renaming an index is not an option. The app can be modified of course, but changes would be lost at each and every update.

somesoni2 · ‎02-04-2016

Even if you create an alias for an index some how, you would still need to update the "configuration for index alias" every time the index name changes. So, better option would be to create an eventtype OR tag OR search macro for use in your dashboards/searches.

Again, my suggestion would be to keep the index name constant. Don't think of a situation where an app upgrade will cause new index to be created. May be if you can share more information.

max_szulc · ‎02-04-2016

The situation is kind of the other way around. I'll try to explain more clearly.

There is an app.
An app performs a search in a specified index, and then performs other operations on the data.

It is not uncommon for a number of apps. Should I change the index name in all cases for all configuration files for the app, it would perform it's utility for a different index.

Now there exists an index that I would like to actually be the source of data for this app to perform it's operations on. It has a different name than a hypothetical index specified by the app - this one does not in reality exist.

What I assume are half-measure solutions are:

Modify the app so that it specifies the index that I want as a source, changing the index name in all it's occurrences.
The problem I see: the changes are lost at each update, and these depending on an app can happen quite often.
Clone an entire index and give the clone a name specified by the app.
The problem I see: the app is required for only a small part of data and the index is actually quite large, so cloning it would take a considerable amount of disc space

The thing that I am interested in was whether there was a way for Splunk to somehow recognize more than a single name for an index (perhaps by using aliases) across an indexing instance, or a workaround developed by experienced users to mitigate the "rewrite app at each update" situation.

Thank you for your time.

DMohn · ‎02-05-2016

If the app you are using requires a specific index for its searches, you could overwrite the app settings by modifying the appropriate stanzas in $SPLUNK_HOME$/etc/apps/yourapp/local - so the customization won't be lost when you update the app.

I don't see any other possibility! , except for rewriting the app or re-indexing your data.

max_szulc · ‎02-05-2016

I see. That is a good solution, however, that would require changes for all macros.conf, savedsearches.conf - and now consider a number of apps.

But I suppose that would get job done until/unless Splunk would feature index aliasing one day. Thanks.

Is it possible to alias an index name?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!