Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename an index or move everything we have in the main index into another index?

ralphw_SAIC
Path Finder
‎09-14-2015 08:28 AM

Splunk 6.2.3 on RHEL6. We are growing and I would like to have some consistency in our index naming convention. So, I would like to move everything we have in MAIN into another index.

Is it as easy as cp -rp $SPLUNK_DB/* /foo/bar/ and changing the incoming feeds to point to the new index?

Thanks,

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-14-2015 11:01 AM

Almost correct, with additional step to stop the splunk before and start after index data copy. See detailed steps here

http://answers.splunk.com/answers/5479/how-to-rename-an-index.html

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-14-2015 11:01 AM

Almost correct, with additional step to stop the splunk before and start after index data copy. See detailed steps here

http://answers.splunk.com/answers/5479/how-to-rename-an-index.html

Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎09-15-2015 11:04 AM

Tried the above link and logs were still going to main. Only the local splunk server was sending anything to the new index. I updated inputs.conf with "index = NEW_INDEX" before I started splunk back up.

Any ideas on why nothing external was going to the new index? We are using the Universal Forwarder, if that helps any, on our clients.

0 Karma
Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-15-2015 11:31 AM

Splunk Universal Forwarder

0 Karma
Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎09-15-2015 11:58 AM

No I did not. It did not sound like I needed to from the docs. I will give this another go tomorrow.

Thanks,

0 Karma
Reply
Solved! Jump to solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-15-2015 11:12 AM

did you update your UF inputs.conf monitor stanzas as well to include the index= NEW_INDEX and restart?

Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎09-15-2015 11:29 AM

Sorry to sound like an id10t, but what do you mean by "UF"?

Also, I only updated inputs.conf on the server. At least that is how I read it. Do I also need to update it on the clients?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-15-2015 11:54 AM

If by client you mean where you Universal forwarders are installed, then yes, you need to update inputs.conf only on clients. In every type of input (monitoring/batch/script/perfom/eventlog etc) just change the reference of index = main OR wherever index is missing, with index= NEW_INDEX.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...