Locally defined indexes have disappeared from the config. Did anyone else encounter this?
Specifically I had defined indexes for syslog and web logs in previous installations. The were preserved through the upgrade from 5.0.5 to 6.0, and the data still exists, but the index configuration was missing from default or local config.
The data still existed, and manually entering stanzas for the indexes in etc/system/local/indexes.conf restored them to visibility. I have yet to determine whether any entries went missing in the few minutes they were out of commission.
This is the reason why you should never modify any configuration in default/ as an upgrade will overwrite your configuration.
Indeed. However, in THIS instance I did not. It was a prior Splunk installation which appears to have done so when adding the log sources through the UI, which I never then thought to seek out the configurations for. It is all the more puzzling because other configuration tweaks WERE stored in local, and furthermore it survived previous upgrades (through the various releases of 5.0.x).
The data still existed, and manually entering stanzas for the indexes in etc/system/local/indexes.conf restored them to visibility. I have yet to determine whether any entries went missing in the few minutes they were out of commission.
Wherever Splunk wrote them by default, when I created them through the UI immediately post-installation when I first installed v5.0. But when I created them manually I did so in system/local where some of the previously overridden default values for the pre-existing system indexes, but no entries for the missing indexes, so I suspect they'd been created in default.
Where were the indexes.conf originally located? In etc/system/local/ or etc/system/local?