Splunk Search

How to move an index to another app?

SplunkTrust
SplunkTrust

In the Settings->Indexes screen I found one of my indexes is listed as being part of a different app than the one I'm building. Apparently, one shouldn't try out other apps before creating a new index. Now I'm wondering how to move the index under my app. I tried editing the metadata.local files for each app and restarting Splunk, but that didn't help. What else should I do?

---
If this reply helps you, an upvote would be appreciated.
Tags (2)
1 Solution

SplunkTrust
SplunkTrust

Take the entry from etc/apps/wrong_app/local/indexes.conf and move it to etc/apps/right_app/local/indexes.conf and restart Splunk.

View solution in original post

Explorer

If you need to move an index that is written inside an indexes.conf file (with other indexes also). You just need to copy the stanza out of the indexes.conf and move to the new apps location in the new indexes.conf file.

Example: I will be moving an app called cloud from the "system" app and moving it to the "search" app.

  1. Edit the file below
    /opt/splunk/etc/system/local/indexes.conf

  2. Cut the entire stanza you want to move

    EXAMPLE
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    [cloud]
    coldPath = $SPLUNKDB/cloud/colddb
    homePath = $SPLUNK
    DB/cloud/db
    thawedPath = $SPLUNKDB/cloud/thaweddb
    maxHotIdleSecs = 86400
    maxHotBuckets = 10
    maxDataSize = auto
    high_volume
    frozenTimePeriodInSecs = 94608000
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  3. Edit the file you are moving to
    /opt/splunk/etc/apps/search/local/indexes.conf

NOTE - if no /local/indexes.conf exists - create one

  1. Paste the entire stanza from above into the new location (do not use the Plus symbols)

  2. Restart splunk

  3. Profit

😃

SplunkTrust
SplunkTrust

Take the entry from etc/apps/wrong_app/local/indexes.conf and move it to etc/apps/right_app/local/indexes.conf and restart Splunk.

View solution in original post

SplunkTrust
SplunkTrust

Indeed, this move approach is unrelated to your problem. All this question is about is moving the configuration stanza from one app to another, leaving the indexed data as-is.

0 Karma

SplunkTrust
SplunkTrust

It would help us in helping you if you provided more details. What did you attempt to do, precisely? What did you see as a result of that attempt? In what way does that result differ from your expectation?

0 Karma

Explorer

I downvoted this post because this didn't work for me.

0 Karma

Community Manager
Community Manager

Hi @ksbuchanan

Downvoting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. Simply commenting with constructive feedback on the post you are concerned with will be more beneficial for the community to learn from.

Some of the most active members in Answers have helped set the standard of how voting etiquette should work in the Splunk community which distinguishes our culture apart from other Q&A forums. Upvote early and often to give credit where it’s due for high quality posts, comment where you think feedback needs to be given, and only downvote if something potentially dangerous is suggested or people are just being inappropriate.

If you’re interested in seeing how this voting etiquette was developed, check out this Splunk Answers post: https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma

Explorer

I followed these steps:

I cut/pasted the section my app, and move it from the "wrongapp" to the "correctapp" in the indexes.conf files. I restarted splunk.

The symptom, was that the dashboard/reports wasn't displaying the data. however - I may have found that the reason is totally unrelated to the context of this thread (so, I'm removing my downgrade). I opened a question here that has more detail. In summary, I moved data to another index, and the historical data (was moved via collect), and it isn't parsing the fields. When I move the app and the data wasn't being displayed, I assumed (wrong of me) that this "move technique" wasn't correcting the problem

0 Karma