Solved: Re: How to properly disable an index to avoid any ...

ram254481493 · ‎06-02-2019

Hi , currently i have an index which receives data from more then 100 hosts. I have been told to disable the index , as we are in cluster i edit the indexes.conf file and added disabled=true , is it going to disable the index ? Also do i need to disable the monitoring path currently forwarded to this index ? I am confuse can any one please explain the proper steps that needs to follow to disable an index to avoid any potential impact ?

skalliger · ‎06-02-2019

Hi,

I would start by disabling the corresponding inputs.conf specification first. When you're sure no new data is coming in, you can, as you said, simply add disabled = true to the indexes.conf index' stanza.

Skalli

View solution in original post

skalliger · ‎06-02-2019

Hi,

I would start by disabling the corresponding inputs.conf specification first. When you're sure no new data is coming in, you can, as you said, simply add disabled = true to the indexes.conf index' stanza.

Skalli

ram254481493 · ‎06-03-2019

Thanks it works.

skalliger · ‎06-03-2019

Glad it worked, thanks for the feedback!

How to properly disable an index to avoid any potential impact?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases