Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Distributed Summary Indexing from Search Head

mattcg
Explorer
‎11-02-2010 05:35 PM

Hello,

I'm looking to set up our search head to send summary index data it generates back to our indexers in a distributed environment.

I found the following question, and I understand the theory of the answer. However, I don't know specifically how to set up the search head as a forwarder and how to tell it to forward the summaries generated instead of indexing them.

http://answers.splunk.com/questions/5837/summary-indexing-on-a-search-head

Furthermore, is Splunk intelligent enough to determine that summaries generated by a search head and then forwarded back down to our indexers are summaries and therefore not count them toward our license?

Thanks for any guidance.

Reply
1 Solution
Solved! Jump to solution
Solution

Brian_Osburn
Builder
‎11-02-2010 07:40 PM

Hi Matt - Having gone through this before, I can say that anything forwarded from the Search head to the indexers is NOT counted toward your license cost. You can even set up the Search head to use the forwarder license included with the app.

With regards to setting up the Search head as a forwarder, it's the same process as you would use for any other forwarder. You can find the details here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Setupforwardingandreceiving#Set_up_forward....

Now, there's one caveat. If you use custom named summary indexes, you'll have to make sure they're created in the indexes.conf on the Indexers as well.

Hope this helps! Brian

View solution in original post

Reply
Solved! Jump to solution

sabaKhadivi
Path Finder
‎04-27-2019 11:48 PM

I did it and internal,audit , introspection also copied to indexer, how can I change configuration in the way it exclude internal indexes

0 Karma
Reply
Solved! Jump to solution
Solution

Brian_Osburn
Builder
‎11-02-2010 07:40 PM

Hi Matt - Having gone through this before, I can say that anything forwarded from the Search head to the indexers is NOT counted toward your license cost. You can even set up the Search head to use the forwarder license included with the app.

With regards to setting up the Search head as a forwarder, it's the same process as you would use for any other forwarder. You can find the details here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Setupforwardingandreceiving#Set_up_forward....

Now, there's one caveat. If you use custom named summary indexes, you'll have to make sure they're created in the indexes.conf on the Indexers as well.

Hope this helps! Brian

Reply
Solved! Jump to solution

Splunk_U
Path Finder
‎12-14-2012 09:40 AM

I have also tried the same. I have a srch head and two indexers. I tried to forward the summary index from the srch head to both the indexers. Now for one of the Indxers it is working fine but for the other one it is not working.

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎04-14-2011 03:39 PM

Not everything forwarded from a SH to an indexer is license free - only things that are license-free anyways, such as internal logs and summary indexing. It is possible to bust a forwarder license with something like the UNIX app inputs and no indexer to forward to!

Reply
Solved! Jump to solution

mattcg
Explorer
‎11-02-2010 07:47 PM

Excellent. That's exactly what I was looking for, and I forgot to mention that we do use custom named summary indexes. I will try the setup as you suggest and report back. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...