Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Specify which server's _internal index to search

kogane
Path Finder
‎08-27-2012 09:57 AM

Is it possible to specify which server's _internal index to search? I have a setup with multiple search head pools, plus a license master with many slaves. My goal is to run a query from any search head, but have it use the _internal index of the license master only.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-27-2012 10:17 AM

If you want to restrict searches to a particular server, you should tell it so;

index=_internal splunk_server=MY_SPLUNK_SERVER | blah blah

If you don't know the name of the server, you could probably find it out through a search like;

index=_internal | dedup splunk_server | table splunk_server

hope this helps,

Kristian

Reply

kristian_kolb
Ultra Champion
‎08-27-2012 12:05 PM

Well, I guess that you could either

a) define the license master as a search peer for all your search heads, or

b) configure the license master to forward its _internal logs to the indexer(s).

In case b) you'd then be looking at index=_internal host=your_license_master instead of splunk_server

/k

Reply

kogane
Path Finder
‎08-27-2012 10:26 AM

The license master is only a search head, not an indexer, so it doesn't show up in these results. It's not configured as a search peer, just as part of a search head pool. Perhaps I have to change this, to make what I want to do possible.

0 Karma
Reply

MarioM
Motivator
‎08-27-2012 10:14 AM

field splunk_server is the one which tell you which splunk instance the data come from

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...