Re: influence of removing index for ITSI

kanam · ‎12-13-2020

Now I want to remove one index.

However I've already create some service and entity related to the index in ITSI.

After removing index once, I'll create new index as same name.

Is there some influence for ITSI?

kanam · ‎12-14-2020

richgalloway,

Thank you for reply.

How about when I create new index as same index name?

ex) Now I use index "TEST" for ITSI

Once I delete it.

And I create index "TEST" for ITSI again.

Then, will ITSI run well same as before?

richgalloway · ‎12-15-2020

My answer is predicated on the index name not changing, as stated in the original posting.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎12-13-2020

Yes.

When the index is removed, ITSI will not find data in that index. Depending on what your searches do, ITSI could be silent or it could generate alerts (missing entities, service is down, etc.).

The same will be true when the index is replaced until there is sufficient data in the index to satisfy the searches.

---
If this reply helps you, Karma would be appreciated.

influence of removing index for ITSI

administration

development

troubleshooting

using Splunk Enterprise

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?