Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Volume Settings not being set on Additional Splunk Search Heads in Cloud

christian_088
Explorer
‎04-05-2021 03:39 PM

When I used to manually created indexes on prem, I would create a record in index.conf for Indexers and a separate one in indexes.conf for Search heads. The documentation calls it a "Search Head Volume Settings".
https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Configurethesearchhead

The SH uses this index list to validate the target of summary indexed data, provide typehead for users using index=*. It's my current understanding that this is also used to calculate | rest /services/data/indexes based on testing on-prem.

I am concerned that Splunk Cloud doesn't seem to be being creating these in my cloud environment on the search heads that I did not create the index from. The issue is that for things like multi-select dashboard inputs that use this API to select index and IDM input set up, Splunk doesn't know about Indexes that I created on my Search Head/IDM/ES server. Originally Support told me to delete the index and recreate it on the IDM to set up the Modular input to use that Input. Users are complaining about apps that we use wanting to use the rest API query for indexes. 

Have others dealt with this and found solutions with Splunk Support?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 11:36 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2021 05:04 PM

If you have independent search heads (as opposed to a SHC) then indexes created via one SH will be unknown to the other(s).  One solution to that is to create an app (called, for example, myorg_all_indexes) and put the indexes.conf file there (you'll also need app.conf).  Install the app on the SHs and the IDM.  Splunk Cloud will automatically install the app on the indexers.  The process is a little longer than using the GUI, but it keeps everything in sync.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

christian_088
Explorer
‎04-06-2021 10:19 AM

Thanks, @richgalloway

So there isn't supposed to be any automated process is the answer. I will go the custom app route myself. Thanks. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2021 11:36 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...