In the Settings->Indexes screen I found one of my indexes is listed as being part of a different app than the one I'm building. Apparently, one shouldn't try out other apps before creating a new index. Now I'm wondering how to move the index under my app. I tried editing the metadata.local files for each app and restarting Splunk, but that didn't help. What else should I do?
If you need to move an index that is written inside an indexes.conf file (with other indexes also). You just need to copy the stanza out of the indexes.conf and move to the new apps location in the new indexes.conf file.
Example: I will be moving an app called cloud from the "system" app and moving it to the "search" app.
Edit the file below
Cut the entire stanza you want to move
coldPath = $SPLUNK_DB/cloud/colddb
homePath = $SPLUNK_DB/cloud/db
thawedPath = $SPLUNK_DB/cloud/thaweddb
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume
frozenTimePeriodInSecs = 94608000
Edit the file you are moving to
NOTE - if no /local/indexes.conf exists - create one
Paste the entire stanza from above into the new location (do not use the Plus symbols)
Indeed, this move approach is unrelated to your problem. All this question is about is moving the configuration stanza from one app to another, leaving the indexed data as-is.
It would help us in helping you if you provided more details. What did you attempt to do, precisely? What did you see as a result of that attempt? In what way does that result differ from your expectation?
Downvoting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. Simply commenting with constructive feedback on the post you are concerned with will be more beneficial for the community to learn from.
Some of the most active members in Answers have helped set the standard of how voting etiquette should work in the Splunk community which distinguishes our culture apart from other Q&A forums. Upvote early and often to give credit where it’s due for high quality posts, comment where you think feedback needs to be given, and only downvote if something potentially dangerous is suggested or people are just being inappropriate.
If you’re interested in seeing how this voting etiquette was developed, check out this Splunk Answers post: https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html
I followed these steps:
I cut/pasted the section my app, and move it from the "wrong_app" to the "correct_app" in the indexes.conf files. I restarted splunk.
The symptom, was that the dashboard/reports wasn't displaying the data. however - I may have found that the reason is totally unrelated to the context of this thread (so, I'm removing my downgrade). I opened a question here that has more detail. In summary, I moved data to another index, and the historical data (was moved via collect), and it isn't parsing the fields. When I move the app and the data wasn't being displayed, I assumed (wrong of me) that this "move technique" wasn't correcting the problem