All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to get resource utilization information for all clustered search heads from a single search head using the S.o.S add-on for Linux?

butzowj
Path Finder
‎01-07-2016 08:15 AM

Hi,

We are running S.o.S - Splunk on Splunk in a search head clustering environment. Is it possible to get the resource utilization information from all search heads to be searchable from a single search head using the S.o.S add-on for Linux? Right now, I have to log in to Splunk Web for each search head to get the data for that search head, (i.e. I have to log in to searchhead1:8000 to view info for searchhead1).

Thanks,
JB

0 Karma
Reply

msudhindra
Path Finder
‎01-07-2016 10:55 AM

Where does your search-head maintain its data , and is that location searchable from the other search heads ? Do you have an outputs.conf on your search-head that redirects the outputs to an indexer ?

The default behavior of Splunk is to maintain (index) data locally. So your search head in the cluster, is also an indexer for local data only. The issue you see is due to the fact that the search head you are logging into, does not have access to the data indexed on other search head nodes in the cluster.

In our case, we forward all data from a search head off to an indexer, where it is indexed, and maintained. These indexers are searchable from all the search head nodes in the cluster, and the above problem is avoided.

Thanks,
Madan

Reply

butzowj
Path Finder
‎01-07-2016 11:03 AM

HI Madan -

Thx for the response.

Our search heads write data locally right now, because we don't know how to configure it any other way. Ideally, we would write send this data to the index cluster to be indexed with the rest of our data. It sounds like we need to utilize an outputs.conf file to forward the locally indexed data to the index cluster.

Which outputs.conf file would we use, and would this have any other potential impacts to the system?

Thanks,
JB

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...