Splunk Search

How to move an index to another app?

richgalloway
SplunkTrust
SplunkTrust

In the Settings->Indexes screen I found one of my indexes is listed as being part of a different app than the one I'm building. Apparently, one shouldn't try out other apps before creating a new index. Now I'm wondering how to move the index under my app. I tried editing the metadata.local files for each app and restarting Splunk, but that didn't help. What else should I do?

---
If this reply helps you, Karma would be appreciated.
Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Take the entry from etc/apps/wrong_app/local/indexes.conf and move it to etc/apps/right_app/local/indexes.conf and restart Splunk.

View solution in original post

dkeesling
Explorer

If you need to move an index that is written inside an indexes.conf file (with other indexes also). You just need to copy the stanza out of the indexes.conf and move to the new apps location in the new indexes.conf file.

Example: I will be moving an app called cloud from the "system" app and moving it to the "search" app.

  1. Edit the file below
    /opt/splunk/etc/system/local/indexes.conf

  2. Cut the entire stanza you want to move

    EXAMPLE
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    [cloud]
    coldPath = $SPLUNK_DB/cloud/colddb
    homePath = $SPLUNK_DB/cloud/db
    thawedPath = $SPLUNK_DB/cloud/thaweddb
    maxHotIdleSecs = 86400
    maxHotBuckets = 10
    maxDataSize = auto_high_volume
    frozenTimePeriodInSecs = 94608000
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  3. Edit the file you are moving to
    /opt/splunk/etc/apps/search/local/indexes.conf

NOTE - if no /local/indexes.conf exists - create one

  1. Paste the entire stanza from above into the new location (do not use the Plus symbols)

  2. Restart splunk

  3. Profit

😃

martin_mueller
SplunkTrust
SplunkTrust

Take the entry from etc/apps/wrong_app/local/indexes.conf and move it to etc/apps/right_app/local/indexes.conf and restart Splunk.

martin_mueller
SplunkTrust
SplunkTrust

Indeed, this move approach is unrelated to your problem. All this question is about is moving the configuration stanza from one app to another, leaving the indexed data as-is.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It would help us in helping you if you provided more details. What did you attempt to do, precisely? What did you see as a result of that attempt? In what way does that result differ from your expectation?

0 Karma

ksbuchanan
Explorer

I downvoted this post because this didn't work for me.

0 Karma

ppablo
Retired

Hi @ksbuchanan

Downvoting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. Simply commenting with constructive feedback on the post you are concerned with will be more beneficial for the community to learn from.

Some of the most active members in Answers have helped set the standard of how voting etiquette should work in the Splunk community which distinguishes our culture apart from other Q&A forums. Upvote early and often to give credit where it’s due for high quality posts, comment where you think feedback needs to be given, and only downvote if something potentially dangerous is suggested or people are just being inappropriate.

If you’re interested in seeing how this voting etiquette was developed, check out this Splunk Answers post: https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma

ksbuchanan
Explorer

I followed these steps:

I cut/pasted the section my app, and move it from the "wrong_app" to the "correct_app" in the indexes.conf files. I restarted splunk.

The symptom, was that the dashboard/reports wasn't displaying the data. however - I may have found that the reason is totally unrelated to the context of this thread (so, I'm removing my downgrade). I opened a question here that has more detail. In summary, I moved data to another index, and the historical data (was moved via collect), and it isn't parsing the fields. When I move the app and the data wasn't being displayed, I assumed (wrong of me) that this "move technique" wasn't correcting the problem

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...