I am using something pretty similar to this in my transforms.conf to dynamically put events in the desired indexes.
https://answers.splunk.com/answers/150266/dynamic-index-assignment-based-on-event-or-log-prefix.html
There are situations where the index doesnt' quite exist yet. When that happens the file sink-holes into the ether, not to be ingested, nor kept in the original directory.
I'm looking to write some code to get in front of it, and
watch the directories
ensure the appropriate index exists
then drop the file in the Splunk-watched directory (or maybe use the api/cli to directly ingest the file in Splunk to the correct index).
This is not a clustered Splunk, though if required, it is possible. (I came across this question https://answers.splunk.com/answers/387133/how-to-create-index-using-rest-api-in-a-clustered.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev)
My concern is that the solution is pointing to something like editing the indexes.conf file and rebooting splunk through the command line. Is this possible via REST API? I would also prefer not to have to reboot and kick the users off. What does the Splunk UI use to do it?
... View more