|
I'm interested in setting up a Splunk server where each customer would have their own indexes and would only be able to search that one index. However we'd definitely need to build the overall system such that the indexes, users, roles could be created on the fly without restarting the server. I know you cannot create indexes on the fly in 4.1 (ie without restarting), and although the docs don't say that you can do this in 4.2, I thought I'd ask -- can this be done in 4.2 and if so how would you go about it? |
|
This is indeed a new 4.2 functionality. From the CLI, one can simply run :
The newly-created index will be ready to use at this point. The UI will do the "splunk reload index" for you, so any indexes created from the UI are ready to be used right away. One caveat here is that on a system where splunkd is very busy, there might be a delay between the execution of the index reload and the actual availability of the index to throw data at. As a rule of thumb, this delay is usually measured in seconds, but if you want to be sure that the index will be available, I would recommend to wait for 30 seconds to 1 minute after the dynamic reload before sending data to it. Do note that "splunk reload index" only allows to add new indexes. You will not be able to remove a pre-existing index on the fly in this way. can you comment on how to use this with a distributed deployment? can i update the indexes.conf file manually or do i have to use the splunk add <index> command? i presume i'd have to run the splunk reload index command on each indexer?
(26 Oct '11, 13:43)
tpsplunk
In a distributed deployment environment, you would have to use the CLI remotely (with a -uri option) or direct REST API calls to create new indexes and reload the indexing configuration on remote indexers. And yes, this operation (index creation + conf reload) would need to be performed on each indexer.
(26 Oct '11, 16:52)
hexx ♦
|
