Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distributed Summary indexing - Search head and indexer on 4.2

Starlette
Contributor
‎03-15-2011 03:29 PM

Hai there,

How do have to deal with this on 4.2? Cause in 4.2 you have to run the search head as a member of the pool ( slave license node) ( http://www.splunk.com/base/Documentation/latest/Deploy/Installadedicatedsearchhead )

I am rolling out now this setup with the cisco security app, and am not sure how to go on. * want custom summary indexes btw, from the cisco security app due rolles/users.

pre 4.2 answers :

http://answers.splunk.com/questions/7810/app-installation-scheduled-searches-summary-index-and-searc...

http://answers.splunk.com/questions/5837/summary-indexing-on-a-search-head

http://answers.splunk.com/questions/8613/distributed-summary

thanks!

0 Karma
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎07-29-2014 03:11 PM

The Information provided above for Summary Indexing is true in Splunk Clustered environment.

Below are the steps that I used to test it in my Clustered environment on Splunk version 6.0.4.

In my clustered test environment I have Cluster master (Name:CM604) Cluster peer 1 (Name :peer1604) Cluster peer 2 (Name :peer2604) Search Head 1 (Name sh604) Search Head 2 (Name sh2604)

1) Search Head 1 is setup to "forwarder" all the data to the Cluster Peers.
2) For my test - used index=testsummary for summary indexing.
3) Deployed custom index=testsummary from cluster master to cluster Peer Using indexes.conf).
4) Create custom index on "Search Head 1 " where summary Indexing is to be performed.
5) Defined Saved search on "Search Head 1 " , which will use custom index= testsummary for summary indexing. The "search head 1" Perform summary and forward the data to the Cluster Peers.
6) This data is searchable from both "Search Head 1 " and "Search Head 2 "

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2013 03:49 PM

for summary indexing, in a distributed environment, you need :

  • the summary index created on the search-head and on every indexers
  • the search head configured to forward all the data to the indexers (load balancer if needed), see manager > forwarding
  • the app and summary searches installed on the search-head.

The populating searches will run on the search-head, the results be written to the local spooler, then monitored, parsed locally, then forwarded to the indexers and stored on the indexes on the indexers.
Then when searching on the summarized data, it will act like a distributed search, and the results will be returned by the indexers.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...