Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Volume Settings not being set on Additional Splunk Search Heads in Cloud

christian_088
Explorer
‎04-05-2021 03:39 PM

When I used to manually created indexes on prem, I would create a record in index.conf for Indexers and a separate one in indexes.conf for Search heads. The documentation calls it a "Search Head Volume Settings".
https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Configurethesearchhead

The SH uses this index list to validate the target of summary indexed data, provide typehead for users using index=*. It's my current understanding that this is also used to calculate | rest /services/data/indexes based on testing on-prem.

I am concerned that Splunk Cloud doesn't seem to be being creating these in my cloud environment on the search heads that I did not create the index from. The issue is that for things like multi-select dashboard inputs that use this API to select index and IDM input set up, Splunk doesn't know about Indexes that I created on my Search Head/IDM/ES server. Originally Support told me to delete the index and recreate it on the IDM to set up the Modular input to use that Input. Users are complaining about apps that we use wanting to use the rest API query for indexes. 

Have others dealt with this and found solutions with Splunk Support?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 11:36 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2021 05:04 PM

If you have independent search heads (as opposed to a SHC) then indexes created via one SH will be unknown to the other(s).  One solution to that is to create an app (called, for example, myorg_all_indexes) and put the indexes.conf file there (you'll also need app.conf).  Install the app on the SHs and the IDM.  Splunk Cloud will automatically install the app on the indexers.  The process is a little longer than using the GUI, but it keeps everything in sync.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

christian_088
Explorer
‎04-06-2021 10:19 AM

Thanks, @richgalloway

So there isn't supposed to be any automated process is the answer. I will go the custom app route myself. Thanks. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 11:36 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...