Splunk Search

What are some of the best practices in changing Virtual Index name?

EricLloyd79
Builder

Hello, my question is a quickie.

We are currently using HUNK to get Hadoop Distributed File System(HDFS) data and pulling it into a virtual index. We want to change the name of the virtual index.
My inclination is to make a copy (I wish I could just clone it but it seems that functionality doesn't exist) of the original index (xyz) and then just call it by the new name (abc). In theory, both indexes will be pulling the same data into them and once I verify all data is available through abc (new index), I can delete the old index (xyz)

Does this sound reasonable?
Thanks

0 Karma
1 Solution

rdagan_splunk
Splunk Employee
Splunk Employee

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

View solution in original post

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

0 Karma

EricLloyd79
Builder

Thank you for replying. Do you find there is a problem with the method I proposed? I would like to be able to avoid changing anything on the original virtual index that way I can test to see if the newly named virtual index is running correctly before doing anything that might affect the working virtual index.

Thanks

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

Although, Splunk does not offer an option to copy a virtual index, you can create a new virtual index and point it to the same HDFS path.
Yes, what you are trying to do will work.

0 Karma

burwell
SplunkTrust
SplunkTrust

I second what Raanan says. That's what I do. I have say foo and then foo_test. That way you can do a side by side search to compare, if needed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...