Installation

V6.0.1 update appears to have broken indexes.conf

grijhwani
Motivator

Locally defined indexes have disappeared from the config. Did anyone else encounter this?

Specifically I had defined indexes for syslog and web logs in previous installations. The were preserved through the upgrade from 5.0.5 to 6.0, and the data still exists, but the index configuration was missing from default or local config.

0 Karma
1 Solution

grijhwani
Motivator

The data still existed, and manually entering stanzas for the indexes in etc/system/local/indexes.conf restored them to visibility. I have yet to determine whether any entries went missing in the few minutes they were out of commission.

View solution in original post

the_wolverine
Champion

This is the reason why you should never modify any configuration in default/ as an upgrade will overwrite your configuration.

grijhwani
Motivator

Indeed. However, in THIS instance I did not. It was a prior Splunk installation which appears to have done so when adding the log sources through the UI, which I never then thought to seek out the configurations for. It is all the more puzzling because other configuration tweaks WERE stored in local, and furthermore it survived previous upgrades (through the various releases of 5.0.x).

0 Karma

grijhwani
Motivator

The data still existed, and manually entering stanzas for the indexes in etc/system/local/indexes.conf restored them to visibility. I have yet to determine whether any entries went missing in the few minutes they were out of commission.

grijhwani
Motivator

Wherever Splunk wrote them by default, when I created them through the UI immediately post-installation when I first installed v5.0. But when I created them manually I did so in system/local where some of the previously overridden default values for the pre-existing system indexes, but no entries for the missing indexes, so I suspect they'd been created in default.

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

Where were the indexes.conf originally located? In etc/system/local/ or etc/system/local?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...