Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where should we upload a file to index the data in an indexer cluster?

rangineniarunku
Explorer
‎07-14-2017 02:13 PM

We are using clustered environment with multiple indexers and single Search head. I want to upload a file which needs to be indexed in all the indexers. Where should I upload it SearchHead or Cluster Master to reflect in all the indexers?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-14-2017 03:11 PM

I would recommend you upload form the search head, but you need to ensure you confirm that the search head is configured with an ouputs.conf and is forwarding to the indexers. It is best practice, that all your splunk instances other than indexers* have a outputs.conf and forward their logs or any data uploaded to the indexers.

You can read the following article and think of your search head as a "Heavy Forwarder":
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Deployaheavyforwarder

As long as you have an outputs.conf on the search head, uploading form there will be fine.

Now, when you upload the file, it will be sent to ONE indexer, indexed, and replicated based on your Replication Factor/Search Factor in the cluster.

When you say "all indexers", do really mean every single indexer? Are we talking about a file that needs to be indexed? or a file that needs to be provided to each indexer...Because if it's the later, you simply need to send the file to the indexers in an app from the Cluster Master by pushing a cluster bundle.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Updatepeerconfigurations

  • there are certain scenarios where indexers might have outputs to 3rd party systems but thats beyond the scope of this answer
- MattyMo
0 Karma
Reply

rangineniarunku
Explorer
‎07-14-2017 10:05 PM

I want to upload a file that needs to be indexed and make sure it available in all the indexers as we are using clustered environment.

0 Karma
Reply

davidmills
Explorer
‎02-21-2019 05:10 PM

We have a cluster of 3 Search Heads. Does the same still apply. Do we load the file to one of the 3 and index from there?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-15-2017 10:43 AM

The follow the first part of my answer above and add the data from the Search Head.

The Cluster will ensure the data is replicated accordingly.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...