Getting Data In

Splunk app data index issue

yasit
Explorer
my app contains the index.conf which declares the index that is installed on the heavy forwarder and it is not installed on the indexer. The problem is that data does not land on the indexer
 
 
 
Labels (3)
0 Karma
1 Solution

dural_yyz
Builder

https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setupmultipleindexes

 

You don't have to add your app to the indexers but you must define your index on the indexers.  A stand alone instance can define via GUI management, however if you have an indexing cluster you must use the CLI to edit an indexes.conf file which is pushed in the CM bundle to the IDX tier.

View solution in original post

0 Karma

dural_yyz
Builder

Agreed - you need to have the index defined on the indexers.  Since the HF cooks the data when it comes across you need to have matching configuration at the receiving side.  Failure to do this will mean your data will route to the last chance index.

On the indexer check btool config for indexes.conf

[default]
lastChanceIndex = <index name> * An index that receives events that are otherwise not associated with a valid index. * If you do not specify a valid index with this setting, such events are dropped entirely. * Routes the following kinds of events to the specified index: * events with a non-existent index specified at an input layer, like an invalid "index" setting in inputs.conf * events with a non-existent index computed at index-time, like an invalid _MetaData:Index value set from a "FORMAT" setting in transforms.conf * You must set 'lastChanceIndex' to an existing, enabled index. Splunk software cannot start otherwise. * If set to "default", then the default index specified by the 'defaultDatabase' setting is used as a last chance index. * Default: empty string

 

0 Karma

yasit
Explorer

@dural_yyz Thanks for the insight,
I've declared the index in my app's indexes.conf which is installed on the HF which essentially is being populated by scripted input. 
But is there a way around where I don't have to install my app on the indexers? And also can you please provide the reference where it mentions that I have to install my app in Indexer?

0 Karma

dural_yyz
Builder

https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setupmultipleindexes

 

You don't have to add your app to the indexers but you must define your index on the indexers.  A stand alone instance can define via GUI management, however if you have an indexing cluster you must use the CLI to edit an indexes.conf file which is pushed in the CM bundle to the IDX tier.

0 Karma

yasit
Explorer

thanks @gcusello 

what seems to be the issue? my understanding was that by default if Splunk receives data for an index that doesn't exist, it will attempt to create the index dynamically. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yasit,

it isn't correct: if you are trying to send logs to a not existing index, you have a message (someting like this: "unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:System"), but the index isn't automatically created.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @yasit,

you have two choices:

  • install the app also on Indexers (I don't hint),
  • manually create the index on the Indexer.

usually this is described in the instructions, which is the app?

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...