Splunk Cloud Platform
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Volume Settings not being set on Additional Splunk Search Heads in Cloud

christian_088
Explorer
‎04-05-2021 03:39 PM

When I used to manually created indexes on prem, I would create a record in index.conf for Indexers and a separate one in indexes.conf for Search heads. The documentation calls it a "Search Head Volume Settings".
https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Configurethesearchhead

The SH uses this index list to validate the target of summary indexed data, provide typehead for users using index=*. It's my current understanding that this is also used to calculate | rest /services/data/indexes based on testing on-prem.

I am concerned that Splunk Cloud doesn't seem to be being creating these in my cloud environment on the search heads that I did not create the index from. The issue is that for things like multi-select dashboard inputs that use this API to select index and IDM input set up, Splunk doesn't know about Indexes that I created on my Search Head/IDM/ES server. Originally Support told me to delete the index and recreate it on the IDM to set up the Modular input to use that Input. Users are complaining about apps that we use wanting to use the rest API query for indexes. 

Have others dealt with this and found solutions with Splunk Support?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 11:36 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2021 05:04 PM

If you have independent search heads (as opposed to a SHC) then indexes created via one SH will be unknown to the other(s).  One solution to that is to create an app (called, for example, myorg_all_indexes) and put the indexes.conf file there (you'll also need app.conf).  Install the app on the SHs and the IDM.  Splunk Cloud will automatically install the app on the indexers.  The process is a little longer than using the GUI, but it keeps everything in sync.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

christian_088
Explorer
‎04-06-2021 10:19 AM

Thanks, @richgalloway

So there isn't supposed to be any automated process is the answer. I will go the custom app route myself. Thanks. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 11:36 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top