Splunk Cloud Platform

Disabling index

muzeebm
Explorer

Hi, I am using splunk cloud  and  I need to disable some indexes temporarily. I am using AWS add-on app to ship AWS ALB logs from an S3 bucket. My daily ingestion data is going beyond the license and I would like to diasble these indexes temporarily. 

 

I can see there is an option to disable an input in the inputs section, but same option is not available for index. Although in the index listing page it shows as enabled in the last column. 

Would appreciate if someone has any solution for the problem mentioned above. Thanks. 

 

 

Muzeeb

Labels (1)
0 Karma
1 Solution

Roy_9
Motivator

Hello @muzeebm 

You cannot access the indexing tier as it will be under the control of splunk support,

For your query to disable the index, you don't have an option via GUI to disable it, you can only edit the retention or delete the index if you are allotted sc_admin access to your cloud stack.

Hope this info helps.

 

Thanks

View solution in original post

muzeebm
Explorer

Thanks @isoutamo @PickleRick ,

 

 

I am new to splunk cloud. How do I access on indexes.conf file in a splunk cloud environment?

 

Muzeeb

0 Karma

Roy_9
Motivator

Hello @muzeebm 

You cannot access the indexing tier as it will be under the control of splunk support,

For your query to disable the index, you don't have an option via GUI to disable it, you can only edit the retention or delete the index if you are allotted sc_admin access to your cloud stack.

Hope this info helps.

 

Thanks

PickleRick
SplunkTrust
SplunkTrust

Ahh. I didn't notice we're talking about the cloud service. Simple answer is - you can't. You don't have direct access to configuration files. Some settings you can manipulate by deploying apps with needed settings but for some it's necessary to contact support.

But the question is if spunk cloud uses remote storage as @isoutamo suggested. I'd strongly suspect that so you probably should disable ingestion of events, not the indexes themselves.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you have enough rights, you could see those under Settings->  Indexes. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

In theory, you could set disabled=true in your indexes.conf for any index.

But.

You probably won't get any performance-wise relief since I suppose the events would still get ingested and parsed, only at the end of the pipeline they wouldn't get written into the index.

More importantly, I suppose (but haven't checked it, I must admit) that in case of a disabled index Splunk would react as if the index was not defined at all and - if you have one defined - would place the events in your last-resort index.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

in indexes.conf is this warning

disabled = <boolean>
* Toggles your index entry off and on.
* Set to "true" to disable an index.
* CAUTION: Do not set this setting to "true" on remote storage enabled indexes.
* Default: false

If I have understood right in splunk cloud they are used smartstore which is remote storage. So you couldn’t set it even you technically could. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...