Splunk Search

What are some of the best practices in changing Virtual Index name?

EricLloyd79
Builder

Hello, my question is a quickie.

We are currently using HUNK to get Hadoop Distributed File System(HDFS) data and pulling it into a virtual index. We want to change the name of the virtual index.
My inclination is to make a copy (I wish I could just clone it but it seems that functionality doesn't exist) of the original index (xyz) and then just call it by the new name (abc). In theory, both indexes will be pulling the same data into them and once I verify all data is available through abc (new index), I can delete the old index (xyz)

Does this sound reasonable?
Thanks

0 Karma
1 Solution

rdagan_splunk
Splunk Employee
Splunk Employee

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

View solution in original post

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

0 Karma

EricLloyd79
Builder

Thank you for replying. Do you find there is a problem with the method I proposed? I would like to be able to avoid changing anything on the original virtual index that way I can test to see if the newly named virtual index is running correctly before doing anything that might affect the working virtual index.

Thanks

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

Although, Splunk does not offer an option to copy a virtual index, you can create a new virtual index and point it to the same HDFS path.
Yes, what you are trying to do will work.

0 Karma

burwell
SplunkTrust
SplunkTrust

I second what Raanan says. That's what I do. I have say foo and then foo_test. That way you can do a side by side search to compare, if needed.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...