How to find the indexes.conf and monitor stanza fo...

harshal_chakran · ‎10-11-2021

Hi all,
I have indexer clusters at multiple sites, but common Search Heads.

I want to remove certain indexes which holds no data.

How can I find in which indexer cluster's indexes.conf , the certain indexes entries are present.
Also in which deployment app of which indexer the related monitoring stanza is present.

Is there any rest api command to get the details?

Thanks in Advance

richgalloway · ‎10-11-2021

Please tell us more about your environment. Usually, even a multi-site indexer cluster has a single Cluster Manager so there's only one place to look for indexes ($SPLUNK_HOME/etc/master-apps on the CM).

If you have more than one CM then you have more than one master-apps directory in which to look.

To find the specific app that defines the index, run this command on each CM

find /opt/splunk/etc/master-apps -name indexes.conf -print0 | xargs -r0 egrep "^\[indexname]"

---
If this reply helps you, Karma would be appreciated.

harshal_chakran · ‎10-12-2021

Hi,
We have a separate multiple CM
Thanks for answer, I will try the same.

Do we have any combinations of rest api to get the details from SH? Or from CM server itself??

richgalloway · ‎10-12-2021

There is the services/cluster/master/indexes API, but it doesn't return app information. See the REST API Reference Manual for details.

---
If this reply helps you, Karma would be appreciated.

How to find the indexes.conf and monitor stanza for certain indexes in multisite environment

indexer

indexer clustering

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases