Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are some of the best practices in changing Virtual Index name?

EricLloyd79
Builder
‎02-14-2018 09:56 AM

Hello, my question is a quickie.

We are currently using HUNK to get Hadoop Distributed File System(HDFS) data and pulling it into a virtual index. We want to change the name of the virtual index.
My inclination is to make a copy (I wish I could just clone it but it seems that functionality doesn't exist) of the original index (xyz) and then just call it by the new name (abc). In theory, both indexes will be pulling the same data into them and once I verify all data is available through abc (new index), I can delete the old index (xyz)

Does this sound reasonable?
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-14-2018 10:27 AM

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-14-2018 10:27 AM

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎02-14-2018 10:30 AM

Thank you for replying. Do you find there is a problem with the method I proposed? I would like to be able to avoid changing anything on the original virtual index that way I can test to see if the newly named virtual index is running correctly before doing anything that might affect the working virtual index.

Thanks

0 Karma
Reply
Solved! Jump to solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-14-2018 11:29 AM

Although, Splunk does not offer an option to copy a virtual index, you can create a new virtual index and point it to the same HDFS path.
Yes, what you are trying to do will work.

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎02-16-2018 10:10 AM

I second what Raanan says. That's what I do. I have say foo and then foo_test. That way you can do a side by side search to compare, if needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...