Splunk Dev

Move Index Configeration Entry

hartfoml
Motivator

I used the CLI to create two indexes.

The entry was put in the splunk/etc/apps/search/local/index.conf file
I wanted it in the splunk/etc/system/local/index.conf file

Does this make a difference???
If I need to how can i move the config info to the new config file without breaking the index or deleting and recreating?

What did I do wrong that it created the indexes in the search app rather than in the system folder?

0 Karma
1 Solution

kristian_kolb
Ultra Champion

Ah, rest easy. You can move the configuration to /etc/system/local. This is just the definition of the index, not the index itself. No need to clean/re-index.

Oh, and by the way, you did nothing wrong. In this case it does not really make a difference, since the 'search' app cannot be disabled. However, I for one like to have these types (index-time related) of conf in one place, and I prefer to edit by hand so I know where they are. Other types, like of conf, like field extractions, eventtypes, saved searches etc can, and often should, be set in different apps.

See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles

To 'fix' this:
1. Stop splunk.
2. Move the file (or rather the contents, as you might already have an indexes.conf in /etc/system/local).
3. Start splunk.

/k

View solution in original post

kristian_kolb
Ultra Champion

Ah, rest easy. You can move the configuration to /etc/system/local. This is just the definition of the index, not the index itself. No need to clean/re-index.

Oh, and by the way, you did nothing wrong. In this case it does not really make a difference, since the 'search' app cannot be disabled. However, I for one like to have these types (index-time related) of conf in one place, and I prefer to edit by hand so I know where they are. Other types, like of conf, like field extractions, eventtypes, saved searches etc can, and often should, be set in different apps.

See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles

To 'fix' this:
1. Stop splunk.
2. Move the file (or rather the contents, as you might already have an indexes.conf in /etc/system/local).
3. Start splunk.

/k

kristian_kolb
Ultra Champion

Don't think so. You can edit the files before you stop/restart. So it's only a stop for about a minute or so.

0 Karma

hartfoml
Motivator

Thanks so much for the help and this is probably the correct answer. I can't test it because I can't stop spunkd during the work day. Do you know of a way to update the info without stopping the service???

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...