Solved: Why do newly created indexes not show up on the se...

horsefez · ‎01-29-2016

Hi fellow Splunkers!

I have a working distributed environment, containing an indexer cluster with a separate master node and one search head.
I have configured "forwarding search-head data to peers" already.

This is my requirement:

If I need to analyze new data, I want to upload a small data file via Splunk Web. Splunk Web is only available on the search head.
At one step in the uploading process of a new file, I need to specify an index, which should store the data. BUT... somehow only the Splunk standard indexes are showing. Already configured custom-indexes won't.

How am I able to upload small data files via search head and assign them to custom indexes?

Thanks for the help!

Kind regards,
pyro_wood

renjith_nair · ‎01-29-2016

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to index on indexer, you have to configure forwarder to forward data which you have done already.

Happy Splunking!

View solution in original post

renjith_nair · ‎01-29-2016

You will be able to add data only to local indexes through web , ie; index which are created on search head. To load data to index on indexer, you have to configure forwarder to forward data which you have done already.

Happy Splunking!

horsefez · ‎02-01-2016

I'm sorry, I don't understand how this is an answer.

Can you tell me how you would add data to custom indexes in this environment?

renjith_nair · ‎02-01-2016

What I meant is , in an indexer cluster environment from search head you won't be able to see the indexes created on indexers , you will be able to see only local indexes which are created on that particular search head

Happy Splunking!

horsefez · ‎02-01-2016

Ok, thank you 🙂

peetchow · ‎05-03-2016

If this is the case ... do i need to create the index on the search head also ?

For example i am looking to create a data input via REST API. in the configuration page, I am given a dropdown to select the index that i want the data to go to. But the new index is not listed in the dropdown because i created the index in the ClusterMaster and applied the bundle down to the indexers.

I see the new index in the indexers but not in the searchhead ... so again do i create the index again on the search head or do i create the REST API data input on the indexer?

thanks !
Pete

bstimely · ‎01-29-2020

I have the same issue with the REST API. I finally just used the settings-> indexes-> new index to add an entry with the same name as the Index in my IDX Cluster. As long as you have the searchheads to forward all events to the IDX layer you should be fine.

alemarzu · ‎01-29-2016

Where did you create the new index, on your Peers or the Search Head?

EDIT: For indexing small files (100 lines or less) , you should read the documentation.
http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Propsconf

horsefez · ‎02-01-2016

I created the indexes on the master-node and then distributed them to the peers via cluster-bundle.

Why do newly created indexes not show up on the search head?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!