Solved: Re: Splunk new index

vemurisurya · ‎06-05-2017

Hi,
if some one come and ask me to create a index splunk to indext the data from the new data source.
what happens if created that index from searchhead
and write a stanza to indexs.conf file in masterserver server and push those changes to all other peer nodes (indexers cluster)

inventsekar · ‎06-05-2017

without cluster, i think, we can not create indexes on search heads (thru splunk GUI when we create, it creates on indexer, not on Search Head, i think)

Regarding indexer cluster,

Note: To add a new index to an indexer cluster, you must directly edit indexes.conf. You cannot add an index via Splunk Web or the CLI. For information on how to configure indexes.conf for clusters, see Configure the peer indexes in an indexer cluster. That topic includes an example of creating a new cluster index.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Setupmultipleindexes

Important: You cannot use Splunk Web or the CLI to configure index settings on peer nodes. You must edit indexes.conf directly.

Configure the peer indexes in an indexer cluster -
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. Since all peers in a cluster must use the same set of indexes (except for limited purposes, described later), the indexes.conf file should ordinarily be the same across all peers.

The cluster peers deploy with a peer-specific default indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes

View solution in original post

inventsekar · ‎06-05-2017

without cluster, i think, we can not create indexes on search heads (thru splunk GUI when we create, it creates on indexer, not on Search Head, i think)

Regarding indexer cluster,

Note: To add a new index to an indexer cluster, you must directly edit indexes.conf. You cannot add an index via Splunk Web or the CLI. For information on how to configure indexes.conf for clusters, see Configure the peer indexes in an indexer cluster. That topic includes an example of creating a new cluster index.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Setupmultipleindexes

Important: You cannot use Splunk Web or the CLI to configure index settings on peer nodes. You must edit indexes.conf directly.

Configure the peer indexes in an indexer cluster -
You configure indexes by editing the indexes.conf file. This file determines an indexer's set of indexes, as well as the size and attributes of its buckets. Since all peers in a cluster must use the same set of indexes (except for limited purposes, described later), the indexes.conf file should ordinarily be the same across all peers.

The cluster peers deploy with a peer-specific default indexes.conf file that handles basic cluster needs. If you want to add indexes or change bucket behavior, you edit a new indexes.conf file in a special location on the master and then distribute the file simultaneously to all the peers.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Configurethepeerindexes

Splunk new index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation