Deployment Architecture

Indexes are not creating after apply Cluster-Bundle

princemanto2580
Path Finder

Hello,

After several trial and error, I can not sort out the issue for additional Indexes creation for cluster peers. As per the docs, i prefer to create indexes.conf under master-app of cluster master and then run splunk apply cluster-bundle. As a result I can see the apps pushed to slave-apps of each index. But under indexes, no addition index has been created. Am i missing any configuration. Below are the details.

@CLUSTER-MASTER:

[splunker@CM01_152 ~]$ cat /opt/splunk/etc/master-apps/my_cluster_indexes/indexes.conf
[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 600
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 300
repFactor = auto

[splunker@CM01_152 ~]$ /opt/splunk/bin/splunk apply cluster-bundle
Created new bundle with checksum=B537979883FDCEF82CC3F5035C811E56

Applying new bundle. The peers may restart depending on the configurations in applied bundle.

@CLUSTER-PEER:

[splunker@IDX01_153 ~]$ cat /opt/splunk/etc/slave-apps/my_cluster_indexes/indexes.conf
[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 600
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 300
repFactor = auto

NOTE THAT, I HAVE GIVEN PERMISSION 755 TO USER SPLUNKER ON /OPT/FROZEN/TEST

No error or warning massage at Distribute Configuration Bundle from Cluster Master Node. Even after restart cluster master and rolling restart for cluster-peers not showing me additional index at cluster peer.

0 Karma
1 Solution

masonmorales
Influencer

You need to put your indexes.conf under /opt/splunk/etc/master-apps/_cluster/local/indexes.conf

After you've made the change, and pushed the new bundle, you can verify that the index exists on a cluster peer by running the following on one of the peers:

splunk cmd btool indexes list

Also note that the index will not show up in the cluster master's indexes list until the new index has some data in it.

View solution in original post

0 Karma

masonmorales
Influencer

You need to put your indexes.conf under /opt/splunk/etc/master-apps/_cluster/local/indexes.conf

After you've made the change, and pushed the new bundle, you can verify that the index exists on a cluster peer by running the following on one of the peers:

splunk cmd btool indexes list

Also note that the index will not show up in the cluster master's indexes list until the new index has some data in it.

0 Karma

princemanto2580
Path Finder

Hi masonmorales,

Sorry for the typo of my previous post. I actually put my indexes.conf under local of "my_cluster_indexes" app of Cluster-Master. But I will try to follow your suggestion as you put it under local of _cluster app.

But my question is, will that index name as "test" can been seen from Cluster-Peers.

If the answer is simply NO, then it is fine for me. But if the answer is YES, then it is a problem for me.

Hope you can understand my doubt.

0 Karma

masonmorales
Influencer

I'm not exactly sure what you mean by, "can be seen from cluster-peers", or why it would be a problem. Could you explain a little further?

The cluster bundle gets pushed from the cluster master to each of the cluster peers, so they all receive a copy of the indexes.conf file.

0 Karma

masonmorales
Influencer

Update: Based on the configurations you added to your question, you should be able to send data into the new index now. The index will not show up in Splunk Web until some events have been added to it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...