<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Summary Indexing in distributed Splunk servers in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78111#M15978</link>
    <description>&lt;P&gt;@ Sowings&lt;/P&gt;

&lt;P&gt;Thanks for the reply and into your time&lt;/P&gt;

&lt;P&gt;Is this the same with distributed search located at manager tab?&lt;/P&gt;

&lt;P&gt;Because my current set-up is &lt;BR /&gt;
I set this set-up using distributed search located at mangers tab&lt;/P&gt;

&lt;P&gt;Search Head Server search peer i add the 5 indexing servers&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Summary Indexing Server

Summary indexing Server Also i add a search peer
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;HR /&gt;

&lt;P&gt;And now i need to save a search and enable it the summary indexing and choose my created sample index and set schedule and save it using summary indexing server&lt;/P&gt;

&lt;P&gt;after a hour to check if the date already save with my created sample indexes the search head server will do that using this search string ( splunk_server=* index=sample_indexes ) and now i can view the consisting data that i created on my summary indexing server and now i can now used my created indexes from my summary indexing server to create a dashboard.&lt;/P&gt;

&lt;P&gt;and now i am asking this is right or i am just wasting my time?&lt;/P&gt;

&lt;P&gt;Thanks and regards&lt;BR /&gt;
Cris&lt;/P&gt;

&lt;P&gt;Please don't hesitate to ask me if i need to elaborate more my question &lt;/P&gt;

&lt;P&gt;Thanks thanks &lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 12:33:09 GMT</pubDate>
    <dc:creator>christantoy</dc:creator>
    <dc:date>2020-09-28T12:33:09Z</dc:date>
    <item>
      <title>Summary Indexing in distributed Splunk servers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78107#M15974</link>
      <description>&lt;P&gt;Hi sir/ma'am&lt;/P&gt;

&lt;P&gt;I have a 8 servers with splunk and splunkforwarder &lt;/P&gt;

&lt;P&gt;Server 1 - indexer1 ( with Splunk )&lt;BR /&gt;
Server 2 - indexer2 ( with Splunk )&lt;BR /&gt;
Server 3 - indexer3 ( with Splunk )&lt;BR /&gt;
Server 4 - indexer4 ( with Splunk )&lt;BR /&gt;
server 5 - indexer5 ( with Splunk )&lt;BR /&gt;
server 6 - Logs Server ( with Splunk forwarder and syslog-ng)&lt;BR /&gt;
server 7 - search head ( with Splunk )&lt;BR /&gt;
server 8 - summary indexing ( with Splunk )&lt;/P&gt;

&lt;P&gt;And now this is my set-up on &lt;/P&gt;

&lt;P&gt;Logs Server are now sending logs with the 5 indexer2&lt;BR /&gt;
and&lt;BR /&gt;
the the search head are now configured the listen into the 5 indexers using search peer in splunk and its working..&lt;/P&gt;

&lt;P&gt;Now my question is&lt;/P&gt;

&lt;P&gt;How i can set-up a summary indexing with my summary indexing server? that can search my created index in summary indexing server into my search head server&lt;/P&gt;

&lt;P&gt;i tried my own set-up but i not quiet sure if i am right&lt;/P&gt;

&lt;P&gt;this is my set-up&lt;/P&gt;

&lt;P&gt;in summary indexing server i create search peer located at distributed search listening to the 5 indexing server and now i can view the logs came from the indexing servers and also i create a new index named sample_summary and also a create a search with summary indexing enable pointed with my new created index and now i check my created index and now it have a data.&lt;/P&gt;

&lt;P&gt;so next step is to check into search head and its now searchable i used this kind of search string&lt;/P&gt;

&lt;P&gt;( splunk_server="xxx-xxxxx" index=sample_summary )&lt;/P&gt;

&lt;P&gt;Thats my current set-up &lt;/P&gt;

&lt;P&gt;Let e know if i need to elaborate my question more&lt;/P&gt;

&lt;P&gt;thanks and best regards&lt;/P&gt;

&lt;P&gt;Cris&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;Sorry with my little poor English ^_^   &lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 12:33:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78107#M15974</guid>
      <dc:creator>christantoy</dc:creator>
      <dc:date>2020-09-28T12:33:07Z</dc:date>
    </item>
    <item>
      <title>Re: Summary Indexing in distributed Splunk servers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78108#M15975</link>
      <description>&lt;P&gt;What is the actual question? You have a current setup. Is it working as you want?&lt;/P&gt;</description>
      <pubDate>Wed, 03 Oct 2012 11:04:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78108#M15975</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2012-10-03T11:04:33Z</dc:date>
    </item>
    <item>
      <title>Re: Summary Indexing in distributed Splunk servers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78109#M15976</link>
      <description>&lt;P&gt;Thanks for the reply and your time &lt;/P&gt;

&lt;P&gt;About with my current set-up it's working but i am not sure if that was right.&lt;/P&gt;

&lt;P&gt;Now the question is!&lt;/P&gt;

&lt;P&gt;I want to view or search my created index form summary indexing server into my search head server.&lt;/P&gt;

&lt;P&gt;so i am asking if there is a another way to do it?&lt;/P&gt;

&lt;P&gt;Thanks again!&lt;/P&gt;

&lt;P&gt;Regards&lt;BR /&gt;
Cris&lt;/P&gt;</description>
      <pubDate>Wed, 03 Oct 2012 13:36:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78109#M15976</guid>
      <dc:creator>christantoy</dc:creator>
      <dc:date>2012-10-03T13:36:18Z</dc:date>
    </item>
    <item>
      <title>Re: Summary Indexing in distributed Splunk servers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78110#M15977</link>
      <description>&lt;P&gt;Note that for the summary indexed data to be visible to the other search heads, you'll have to set up server 8 to send its data back to the indexers. This means that it has an outputs.conf just like the forwarder system, listing all five indexers. Furthermore, you'll need some additional data in outputs.conf to direct Splunk (on server8) to index &lt;EM&gt;nothing&lt;/EM&gt; locally:&lt;/P&gt;

&lt;PRE&gt;
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

[indexAndForward]
index = false
&lt;/PRE&gt;

&lt;P&gt;While the entries missing a right hand side (nothing to the right of the equals sign &lt;span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:"&gt;😃&lt;/span&gt; may be confusing, those are used to &lt;EM&gt;clear&lt;/EM&gt; a default setting, by emptying the setting.&lt;/P&gt;</description>
      <pubDate>Wed, 03 Oct 2012 13:36:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78110#M15977</guid>
      <dc:creator>sowings</dc:creator>
      <dc:date>2012-10-03T13:36:34Z</dc:date>
    </item>
    <item>
      <title>Re: Summary Indexing in distributed Splunk servers</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78111#M15978</link>
      <description>&lt;P&gt;@ Sowings&lt;/P&gt;

&lt;P&gt;Thanks for the reply and into your time&lt;/P&gt;

&lt;P&gt;Is this the same with distributed search located at manager tab?&lt;/P&gt;

&lt;P&gt;Because my current set-up is &lt;BR /&gt;
I set this set-up using distributed search located at mangers tab&lt;/P&gt;

&lt;P&gt;Search Head Server search peer i add the 5 indexing servers&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Summary Indexing Server

Summary indexing Server Also i add a search peer
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;HR /&gt;

&lt;P&gt;And now i need to save a search and enable it the summary indexing and choose my created sample index and set schedule and save it using summary indexing server&lt;/P&gt;

&lt;P&gt;after a hour to check if the date already save with my created sample indexes the search head server will do that using this search string ( splunk_server=* index=sample_indexes ) and now i can view the consisting data that i created on my summary indexing server and now i can now used my created indexes from my summary indexing server to create a dashboard.&lt;/P&gt;

&lt;P&gt;and now i am asking this is right or i am just wasting my time?&lt;/P&gt;

&lt;P&gt;Thanks and regards&lt;BR /&gt;
Cris&lt;/P&gt;

&lt;P&gt;Please don't hesitate to ask me if i need to elaborate more my question &lt;/P&gt;

&lt;P&gt;Thanks thanks &lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 12:33:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Summary-Indexing-in-distributed-Splunk-servers/m-p/78111#M15978</guid>
      <dc:creator>christantoy</dc:creator>
      <dc:date>2020-09-28T12:33:09Z</dc:date>
    </item>
  </channel>
</rss>

