Solved: Disabling index

muzeebm · ‎11-05-2021

Hi, I am using splunk cloud and I need to disable some indexes temporarily. I am using AWS add-on app to ship AWS ALB logs from an S3 bucket. My daily ingestion data is going beyond the license and I would like to diasble these indexes temporarily.

I can see there is an option to disable an input in the inputs section, but same option is not available for index. Although in the index listing page it shows as enabled in the last column.

Would appreciate if someone has any solution for the problem mentioned above. Thanks.

Muzeeb

Roy_9 · ‎11-08-2021

Hello @muzeebm

You cannot access the indexing tier as it will be under the control of splunk support,

For your query to disable the index, you don't have an option via GUI to disable it, you can only edit the retention or delete the index if you are allotted sc_admin access to your cloud stack.

Hope this info helps.

Thanks

View solution in original post

muzeebm · ‎11-05-2021

Thanks @isoutamo @PickleRick ,

I am new to splunk cloud. How do I access on indexes.conf file in a splunk cloud environment?

Muzeeb

Roy_9 · ‎11-08-2021

Hello @muzeebm

You cannot access the indexing tier as it will be under the control of splunk support,

For your query to disable the index, you don't have an option via GUI to disable it, you can only edit the retention or delete the index if you are allotted sc_admin access to your cloud stack.

Hope this info helps.

Thanks

PickleRick · ‎11-06-2021

Ahh. I didn't notice we're talking about the cloud service. Simple answer is - you can't. You don't have direct access to configuration files. Some settings you can manipulate by deploying apps with needed settings but for some it's necessary to contact support.

But the question is if spunk cloud uses remote storage as @isoutamo suggested. I'd strongly suspect that so you probably should disable ingestion of events, not the indexes themselves.

isoutamo · ‎11-05-2021

If you have enough rights, you could see those under Settings-> Indexes.

PickleRick · ‎11-05-2021

In theory, you could set disabled=true in your indexes.conf for any index.

But.

You probably won't get any performance-wise relief since I suppose the events would still get ingested and parsed, only at the end of the pipeline they wouldn't get written into the index.

More importantly, I suppose (but haven't checked it, I must admit) that in case of a disabled index Splunk would react as if the index was not defined at all and - if you have one defined - would place the events in your last-resort index.

isoutamo · ‎11-05-2021

in indexes.conf is this warning

disabled = <boolean>
* Toggles your index entry off and on.
* Set to "true" to disable an index.
* CAUTION: Do not set this setting to "true" on remote storage enabled indexes.
* Default: false

If I have understood right in splunk cloud they are used smartstore which is remote storage. So you couldn’t set it even you technically could.

Disabling index

administration

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)