Splunk Cloud Platform

Search Head Volume Settings not being set on Additional Splunk Search Heads in Cloud

christian_088
Explorer

When I used to manually created indexes on prem, I would create a record in index.conf for Indexers and a separate one in indexes.conf for Search heads. The documentation calls it a "Search Head Volume Settings".
https://docs.splunk.com/Documentation/Splunk/8.1.3/Indexer/Configurethesearchhead

The SH uses this index list to validate the target of summary indexed data, provide typehead for users using index=*. It's my current understanding that this is also used to calculate | rest /services/data/indexes based on testing on-prem.

I am concerned that Splunk Cloud doesn't seem to be being creating these in my cloud environment on the search heads that I did not create the index from. The issue is that for things like multi-select dashboard inputs that use this API to select index and IDM input set up, Splunk doesn't know about Indexes that I created on my Search Head/IDM/ES server. Originally Support told me to delete the index and recreate it on the IDM to set up the Modular input to use that Input. Users are complaining about apps that we use wanting to use the rest API query for indexes. 

Have others dealt with this and found solutions with Splunk Support?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you have independent search heads (as opposed to a SHC) then indexes created via one SH will be unknown to the other(s).  One solution to that is to create an app (called, for example, myorg_all_indexes) and put the indexes.conf file there (you'll also need app.conf).  Install the app on the SHs and the IDM.  Splunk Cloud will automatically install the app on the indexers.  The process is a little longer than using the GUI, but it keeps everything in sync.

---
If this reply helps you, Karma would be appreciated.

christian_088
Explorer

Thanks, @richgalloway

So there isn't supposed to be any automated process is the answer. I will go the custom app route myself. Thanks. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...