Hi @diogofgm , permission are rights: we use our domain account set to have admin rights on all Splunk hosts in our env. I performed other analysis and I found a strange things. Let me share with ...
See more...
Hi @diogofgm , permission are rights: we use our domain account set to have admin rights on all Splunk hosts in our env. I performed other analysis and I found a strange things. Let me share with you another set of inputs. In the under analysis env, we have 4 indexers in cluster. Above them, we have 3 SH NOT in cluster and the fourth one, the one with ES. So, in a nutshell: 3x SH Splunk Core (NO SH Cluster) + 1 ES SH 4x IDX clustered Using btool, I checked indexes.conf deployed on Indexers cluster, and I found that, on all 4 IDXs, there are only 2 indexes.conf: $SPLUNK_HOME$/etc/apps/slave-apps/_cluster/local/indexes.conf $SPLUNK_HOME$/etc/system/default/indexes.conf As I expected, the one in default folder is the system provided one, not edited by who performed initial installation and setup (another company has done this, not us). So, I checked the one in _cluster and, as I expected, it is the one where all indexes created by previous admins has been put...except the one that give me the problem. I mean: inside $SPLUNK_HOME$/etc/apps/slave-apps/_cluster/local/indexes.conf I can find custom indexes set (they are 262) but NOT the one (pan_logs) that rise the issue. There is no trace of it on the indexers (at lease, in files I checked). So, I thought: hey, wait a minute, could it be deployed directly on SH? So, I checked indexes.conf on the SH where I can query successfull the index, but again I found no trace about it. It appear, let me say, like a "ghost" index: No trace of it on SH and IDX, but there is a SH able to query it.