- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Splunk new index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if some one come and ask me to create a index splunk to indext the data from the new data source.
what happens if created that index from searchhead
and write a stanza to indexs.conf file in masterserver server and push those changes to all other peer nodes (indexers cluster)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
without cluster, i think, we can not create indexes on search heads (thru splunk GUI when we create, it creates on indexer, not on Search Head, i think)
Regarding indexer cluster,
Note: To add a new index to an indexer cluster, you must directly edit indexes.conf. You cannot add an index via Splunk Web or the CLI. For information on how to configure indexes.conf for clusters, see Configure the peer indexes in an indexer cluster. That topic includes an example of creating a new cluster index.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Setupmultipleindexes
Important: You cannot use Splunk Web or the CLI to configure index settings on peer nodes. You must edit indexes.conf directly.
Configure the peer indexes in an indexer cluster -
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. Since all peers in a cluster must use the same set of indexes (except for limited purposes, described later), the indexes.conf file should ordinarily be the same across all peers.
The cluster peers deploy with a peer-specific default indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
without cluster, i think, we can not create indexes on search heads (thru splunk GUI when we create, it creates on indexer, not on Search Head, i think)
Regarding indexer cluster,
Note: To add a new index to an indexer cluster, you must directly edit indexes.conf. You cannot add an index via Splunk Web or the CLI. For information on how to configure indexes.conf for clusters, see Configure the peer indexes in an indexer cluster. That topic includes an example of creating a new cluster index.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Setupmultipleindexes
Important: You cannot use Splunk Web or the CLI to configure index settings on peer nodes. You must edit indexes.conf directly.
Configure the peer indexes in an indexer cluster -
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. Since all peers in a cluster must use the same set of indexes (except for limited purposes, described later), the indexes.conf file should ordinarily be the same across all peers.
The cluster peers deploy with a peer-specific default indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
