Splunk Enterprise

Splunk new index

vemurisurya
Path Finder

Hi,
if some one come and ask me to create a index splunk to indext the data from the new data source.
what happens if created that index from searchhead
and write a stanza to indexs.conf file in masterserver server and push those changes to all other peer nodes (indexers cluster)

Tags (1)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

without cluster, i think, we can not create indexes on search heads (thru splunk GUI when we create, it creates on indexer, not on Search Head, i think)

Regarding indexer cluster,

Note: To add a new index to an indexer cluster, you must directly edit indexes.conf. You cannot add an index via Splunk Web or the CLI. For information on how to configure indexes.conf for clusters, see Configure the peer indexes in an indexer cluster. That topic includes an example of creating a new cluster index.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Setupmultipleindexes

Important: You cannot use Splunk Web or the CLI to configure index settings on peer nodes. You must edit indexes.conf directly.

Configure the peer indexes in an indexer cluster -
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. Since all peers in a cluster must use the same set of indexes (except for limited purposes, described later), the indexes.conf file should ordinarily be the same across all peers.

The cluster peers deploy with a peer-specific default indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

without cluster, i think, we can not create indexes on search heads (thru splunk GUI when we create, it creates on indexer, not on Search Head, i think)

Regarding indexer cluster,

Note: To add a new index to an indexer cluster, you must directly edit indexes.conf. You cannot add an index via Splunk Web or the CLI. For information on how to configure indexes.conf for clusters, see Configure the peer indexes in an indexer cluster. That topic includes an example of creating a new cluster index.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Setupmultipleindexes

Important: You cannot use Splunk Web or the CLI to configure index settings on peer nodes. You must edit indexes.conf directly.

Configure the peer indexes in an indexer cluster -
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. Since all peers in a cluster must use the same set of indexes (except for limited purposes, described later), the indexes.conf file should ordinarily be the same across all peers.

The cluster peers deploy with a peer-specific default indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...