Deployment Architecture
Highlighted

Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.

Motivator

I read this answer:

[http://splunk-base.splunk.com/answers/31681/custom-search-command-for-distributed-search][1]

and follow the instructions from this answer:

[http://splunk-base.splunk.com/answers/46970/search-command-from-master-head][1]

It partially solve my problem.

I have a custom search command that can only be executed in a specific Splunk indexer. I need to run this search command from the master head. The main constrain I have is that the custom search command must run in a DMZ network area.

If I enable streaming=true the custom search will be distributed across all the splunk indexer. Therefore, the query will fail in the splunk indexers that cannot execute the custom search and it will take a lot of time to complete the execution.

If I try:

splunk_server=dmz.indexer.com|customsearch

I get this error:

Error in 'customsearch' command: This command must be the first command of a search

How can I solve this problem?

Thanks for your help.

Tags (1)
0 Karma
Highlighted

Re: Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.

Motivator

what your custom search command does? which version of splunk are you running?

0 Karma
Highlighted

Re: Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.

Contributor

lpolo,

Without knowing anything more about this custom search command, maybe you can just try a subsearch. This works for other splunk built-in commands that must appear first.

For instance, something like this might/should work:

search> customsearch [search splunk_server=dmz.indexer.com]

Essentially, in a subsearch, what is in the brackets is the "inner search," which says do this search and then pass the results to what is outside of the brackets (the outer search).

You may need to muck with setting earliest and latest to set your times in the inner search to ensure the data you are looking for is included properly.

Best,

Sean

0 Karma
Highlighted

Re: Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.

Motivator

Thanks for your answer but the solution of the problem is not about sub-search it is about how to exclude "blacklist" splunk indexers from a custom search command for distributed search.

0 Karma
Highlighted

Re: Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.

Motivator

Thanks Mario.
Master head: Version 4.3
Indexer: Version 4.2.1

The search command is just a WEB REST call then the result set is presented to the user. This Web REST call can only be executed in the DMZ environment "The indexer is found in this environment". That is why, I need to exclude the indexers that cannot access this network.

0 Karma