Solved: Where to create an index in a clustered environmen...

Prakash493 · ‎04-24-2019

Hi , i have a clustered environment
3 search heads and a cluster , in cluster i used to deployer apps
have 4 indexers and an indexer cluster master

i need to create an index but confuse where to create should i create it in indexer cluster master and push the bundle to other indexers if i do so is user able to search through search heads , or do i need to deploy it in search head deployer and push the updates ,

i am confused between these two.

codebuilder · ‎04-24-2019

You'll want to define your indexes on the master at /opt/splunk/etc/master-apps/_cluster/local/indexes.conf.

Then you can validate and push out the bundle to the indexers from the master with the following commands:

splunk validate cluster-bundle
splunk show cluster-bundle-status
splunk apply cluster-bundle

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎04-24-2019

You'll want to define your indexes on the master at /opt/splunk/etc/master-apps/_cluster/local/indexes.conf.

Then you can validate and push out the bundle to the indexers from the master with the following commands:

splunk validate cluster-bundle
splunk show cluster-bundle-status
splunk apply cluster-bundle

----
An upvote would be appreciated and Accept Solution if it helps!

euriska · ‎07-14-2022

Just a footnote, mine replicated and looked like they should be working until I realized I spelled the filename indexs.conf instead of indexes.conf

ddrillic · ‎04-24-2019

We had recently an interesting discussion about /opt/splunk/etc/master-apps/_cluster/local/indexes.conf at How to create a new index?

Prakash493 · ‎04-25-2019

i have seen in my splunk environment all the indexes under at /opt/splunk/etc/master-apps/(app name)/local then indexes are their ,should i create here or this location opt/splunk/etc/master-apps/_cluster/local/indexes.conf. , i am not seeing any indexes here ?

codebuilder · ‎04-24-2019

If you deploy indexes.conf via the master at /opt/splunk/etc/master-apps/_cluster/local/indexes.conf then your indexes.conf on the peer nodes (indexers) will reside at /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf.

In a clustered environment, I'm not a fan of deploying indexes.conf any other way, though it can be done (e.g. in a custom app).
If that app gets deleted, or you inadvertently deploy with the app directory missing, or wrong permissions, etc. then you're going to have problems.

The /opt/splunk/etc/master-apps/_cluster/local/ is a special directory intended just for this purpose, and is documented as such:
https://docs.splunk.com/Documentation/Splunk/7.0.4/Indexer/Updatepeerconfigurations

----
An upvote would be appreciated and Accept Solution if it helps!

Prakash493 · ‎04-24-2019

Thanks but after that i dont need to do anything search head deployer , or when i search in search head it will come automatically right ?

codebuilder · ‎04-24-2019

The deployer is for pushing applications to your search head cluster.

The indexer master is for pushing indexes.conf to your indexer cluster (as well as other jobs it performs).

----
An upvote would be appreciated and Accept Solution if it helps!

Prakash493 · ‎04-24-2019

Ok thank you ao much for info

codebuilder · ‎04-24-2019

Glad to help!

----
An upvote would be appreciated and Accept Solution if it helps!

Where to create an index in a clustered environment?

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation