Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are some of the best practices in changing Virtual Index name?

EricLloyd79
Builder
‎02-14-2018 09:56 AM

Hello, my question is a quickie.

We are currently using HUNK to get Hadoop Distributed File System(HDFS) data and pulling it into a virtual index. We want to change the name of the virtual index.
My inclination is to make a copy (I wish I could just clone it but it seems that functionality doesn't exist) of the original index (xyz) and then just call it by the new name (abc). In theory, both indexes will be pulling the same data into them and once I verify all data is available through abc (new index), I can delete the old index (xyz)

Does this sound reasonable?
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-14-2018 10:27 AM

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-14-2018 10:27 AM

If you have many virtual indexes that require name change, you may what to:
1) find the indexes.conf file that contains all of your virtual indexes configurations (default is /opt/splunk/etc/apps/search/local/indexes.conf )
2) Make a copy of that file (just in case ..)
3) Modify the names of the virtual indexes in the indexes.conf file
4) restart Splunk

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎02-14-2018 10:30 AM

Thank you for replying. Do you find there is a problem with the method I proposed? I would like to be able to avoid changing anything on the original virtual index that way I can test to see if the newly named virtual index is running correctly before doing anything that might affect the working virtual index.

Thanks

0 Karma
Reply
Solved! Jump to solution

rdagan_splunk
Splunk Employee
Splunk Employee
‎02-14-2018 11:29 AM

Although, Splunk does not offer an option to copy a virtual index, you can create a new virtual index and point it to the same HDFS path.
Yes, what you are trying to do will work.

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎02-16-2018 10:10 AM

I second what Raanan says. That's what I do. I have say foo and then foo_test. That way you can do a side by side search to compare, if needed.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...