Splunk Cloud Platform

Search Head Volume Settings not being set on Additional Splunk Search Heads in Cloud

christian_088
Explorer

When I used to manually created indexes on prem, I would create a record in index.conf for Indexers and a separate one in indexes.conf for Search heads. The documentation calls it a "Search Head Volume Settings".
https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Configurethesearchhead

The SH uses this index list to validate the target of summary indexed data, provide typehead for users using index=*. It's my current understanding that this is also used to calculate | rest /services/data/indexes based on testing on-prem.

I am concerned that Splunk Cloud doesn't seem to be being creating these in my cloud environment on the search heads that I did not create the index from. The issue is that for things like multi-select dashboard inputs that use this API to select index and IDM input set up, Splunk doesn't know about Indexes that I created on my Search Head/IDM/ES server. Originally Support told me to delete the index and recreate it on the IDM to set up the Modular input to use that Input. Users are complaining about apps that we use wanting to use the rest API query for indexes. 

Have others dealt with this and found solutions with Splunk Support?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you have independent search heads (as opposed to a SHC) then indexes created via one SH will be unknown to the other(s).  One solution to that is to create an app (called, for example, myorg_all_indexes) and put the indexes.conf file there (you'll also need app.conf).  Install the app on the SHs and the IDM.  Splunk Cloud will automatically install the app on the indexers.  The process is a little longer than using the GUI, but it keeps everything in sync.

---
If this reply helps you, Karma would be appreciated.

christian_088
Explorer

Thanks, @richgalloway

So there isn't supposed to be any automated process is the answer. I will go the custom app route myself. Thanks. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...