Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- tsidxWritingLevel field is empty when calling Splu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tsidxWritingLevel field is empty when calling Splunk REST API
Dominik_K
Loves-to-Learn Lots
12-28-2020
06:07 AM
Splunk version: 8.1.1
OS: CentOS 7.9
My indexes.conf file looks like this:
[default]
tsidxWritingLevel = 4
[mynewindex]
coldPath = $SPLUNK_DB/mynewindex/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/mynewindex/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/mynewindex/thaweddb
tsidxWritingLevel = 4
What is my goal?
I want to ensure that tsidxWritingLevel = 4 is actually set up and is working.
So I ran an API query in Splunk:
| rest /services/data/indexes
But tsidxWritingLevel field is empty all the way down. Why is that? How can check that Splunk is actually using tsidxWritingLevel = 4?
Output from btool:
[root@localhost local]# /opt/splunk/bin/splunk btool indexes list --debug | grep local
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf [_internal]
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf [default]
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/apps/search/local/indexes.conf [mynewindex]
/opt/splunk/etc/apps/search/local/indexes.conf coldPath = $SPLUNK_DB/mynewindex/colddb
/opt/splunk/etc/apps/search/local/indexes.conf enableDataIntegrityControl = 0
/opt/splunk/etc/apps/search/local/indexes.conf enableTsidxReduction = 0
/opt/splunk/etc/apps/search/local/indexes.conf homePath = $SPLUNK_DB/mynewindex/db
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/apps/search/local/indexes.conf maxTotalDataSizeMB = 512000
/opt/splunk/etc/apps/search/local/indexes.conf thawedPath = $SPLUNK_DB/mynewindex/thaweddb
/opt/splunk/etc/apps/search/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
/opt/splunk/etc/system/local/indexes.conf journalCompression = zstd
/opt/splunk/etc/system/local/indexes.conf tsidxWritingLevel = 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dominik_K
Loves-to-Learn Lots
12-28-2020
06:58 AM
I tried to run different API call in Splunk
| rest /services/configs/conf-indexesAnd this one is actually returning tsidxWritingLevel field showing value 4.
Get Updates on the Splunk Community!
Splunk Enterprise Security: Your Command Center for PCI DSS Compliance
Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...
Developer Spotlight with Guilhem Marchand
From Splunk Engineer to Founder: The Journey Behind TrackMe
After spending over 12 years working full time ...
Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...
The Problem: When Networks and Services Don't Talk
Payment systems fail at a retail location. Customers are ...
