- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I run a local search on my deployment server and make the results accessible for search?
Hello,
I have a query that needs to run locally on the deployment server, but I want the results accessible on my search head cluster.
For instance, on the Deployment Server:
|rest /services/deployment/server/clients count=0 splunk_server=local
|fields hostname name ip dns utsname
|outputlookup deployment_clients.csv
And now on a member of my search head cluster I want to run and get the results back:
|inputlookup deployment_clients
Can someone point me in the right direction on how to accomplish this? Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way is @somesoni2's suggestion to collect to a summary index, subject to the limitation that you are currently sending all index data from the deployment server to the indexers.
A second way, if the above limitation is not in place, would be to have your search trigger a script to copy the output csv file to a destination on your search head and pick it up there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AFAIK, there is no native way available to share a lookup table between two, non-clustered instances. If you send all indexes data from Deployment server to your indexers, my suggestion would to summary index result of your query on Deployment server (instead of saving it as lookup), so the data will go to indexer and will be available in your search heads. If you need you can then build the lookup table (periodically) from summary index on your search head.
