Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Having to restart index cluster

johannamayer
New Member
‎01-20-2022 01:49 AM

Hi Splunkers, I am experiencing issues with an index cluster and it would be great if you could help me out.

Every time I change or create an index a restart is required and it takes up to an hour until all the indexers are ready again. This used to work without a restart and only started happening after an upgrade at some point. I found this, but that doesn't say anything about creating indexes.

Do you have an idea where this is coming from exactly and if it can be avoided in some way? Since changes are made weekly, it is really annoying.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2022 02:10 AM

Hi @johannamayer,

Index creation isn't an activity that usually is frequently performed and usually should be planned and executed when there something relevant change (e.g. new sources or new requirements).

If you frequently (also weekly creation is a strange fequency!) need to create new indexes probably there a wrong interpretation of the index concept:

an index is a container where logs are stored, you can create indexes for each technology you ingest but you can also put different technologies in the same index, the aspect to consider in index definition are:

  • retention,
  • access grants.

in other words, you have to put in the same index logs with the same retention period and the same access grants, if you have logs with different repetion periods or different access grants, you have to put them in different indexes, in other words indexes aren't database tables, they are conteiners, the log definition is done with the sourcetype and there is no sense to create e.g. an index for the same logs with the week definition in the name.

Anyway, answering to your question, you can also delay your rolling restart but until the restart is completed the new indexes aren't obviously available!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...