Deployment Architecture

How come my new Index is not showing in DMC?

wendtb
Path Finder

I recently added a new index in Splunk. I am running with 2 clustered indexes. The index is pulling in data, and shows up in DMC, Index > Indexes and Volumes: Deployment tab. However, it doesn't show up in Settings > Data > Indexes on Master, or any search heads.

Index shows up showing data is there using this search

| REST /services/data/indexes
| eval sizeGB = currentDBSizeMB/1024
| eval sizeGB = round(sizeGB, 3)
| table title, sizeGB

Is there a way to get the index to show up in the web GUI?

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

In a multi-server environment its a good idea to create a master copy of the indexes.conf file that contains all your indexes. You then need to manually copy this to all servers (and keep it in sync). There is no in-built synchronization of index names.

If you don't want to do this, then you can just create pretend indexes on the other servers using the UI. When you create these pretend indexes on the other servers, they wont contain data. but it will mean that type-ahead completion and the ability to define data inputs properly will work.

Finally, you can still search the index from the search heads, even though the index does not show up. You won't be able to control permissions to it though.

All the best.

View solution in original post

woodcock
Esteemed Legend

One trick that you can do to see the source XML of any splunk dashboardThe DMC searches start out like this:

| rest splunk_server=$splunk_server$ /services/data/indexes $datatype$
| join type=outer title [| rest splunk_server=$splunk_server$ /services/data/indexes-extended $datatype$]
| `dmc_exclude_indexes`

So you should check out the dmc_exclude_indexes macro. Also see if the splunk_server=$splunk_server$ changes things for you.

P.S. If you add ?showsource=true to any dashboard, Splunk will show you the XML source of the panel, even if the Edit button is not there (but you won't be able to change/save it).

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

In a multi-server environment its a good idea to create a master copy of the indexes.conf file that contains all your indexes. You then need to manually copy this to all servers (and keep it in sync). There is no in-built synchronization of index names.

If you don't want to do this, then you can just create pretend indexes on the other servers using the UI. When you create these pretend indexes on the other servers, they wont contain data. but it will mean that type-ahead completion and the ability to define data inputs properly will work.

Finally, you can still search the index from the search heads, even though the index does not show up. You won't be able to control permissions to it though.

All the best.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...