Deployment Architecture

Can Splunk Do This? -> Blacklist some splunk indexers In Custom search command for distributed search.


I read this answer:


and follow the instructions from this answer:


It partially solve my problem.

I have a custom search command that can only be executed in a specific Splunk indexer. I need to run this search command from the master head. The main constrain I have is that the custom search command must run in a DMZ network area.

If I enable streaming=true the custom search will be distributed across all the splunk indexer. Therefore, the query will fail in the splunk indexers that cannot execute the custom search and it will take a lot of time to complete the execution.

If I try:|customsearch

I get this error:

Error in 'customsearch' command: This command must be the first command of a search

How can I solve this problem?

Thanks for your help.

Tags (1)
0 Karma


Thanks Mario.
Master head: Version 4.3
Indexer: Version 4.2.1

The search command is just a WEB REST call then the result set is presented to the user. This Web REST call can only be executed in the DMZ environment "The indexer is found in this environment". That is why, I need to exclude the indexers that cannot access this network.

0 Karma



Without knowing anything more about this custom search command, maybe you can just try a subsearch. This works for other splunk built-in commands that must appear first.

For instance, something like this might/should work:

search> customsearch [search]

Essentially, in a subsearch, what is in the brackets is the "inner search," which says do this search and then pass the results to what is outside of the brackets (the outer search).

You may need to muck with setting earliest and latest to set your times in the inner search to ensure the data you are looking for is included properly.



0 Karma


Thanks for your answer but the solution of the problem is not about sub-search it is about how to exclude "blacklist" splunk indexers from a custom search command for distributed search.

0 Karma


what your custom search command does? which version of splunk are you running?

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...