Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where should we upload a file to index the data in an indexer cluster?

rangineniarunku
Explorer
‎07-14-2017 02:13 PM

We are using clustered environment with multiple indexers and single Search head. I want to upload a file which needs to be indexed in all the indexers. Where should I upload it SearchHead or Cluster Master to reflect in all the indexers?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-14-2017 03:11 PM

I would recommend you upload form the search head, but you need to ensure you confirm that the search head is configured with an ouputs.conf and is forwarding to the indexers. It is best practice, that all your splunk instances other than indexers* have a outputs.conf and forward their logs or any data uploaded to the indexers.

You can read the following article and think of your search head as a "Heavy Forwarder":
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Deployaheavyforwarder

As long as you have an outputs.conf on the search head, uploading form there will be fine.

Now, when you upload the file, it will be sent to ONE indexer, indexed, and replicated based on your Replication Factor/Search Factor in the cluster.

When you say "all indexers", do really mean every single indexer? Are we talking about a file that needs to be indexed? or a file that needs to be provided to each indexer...Because if it's the later, you simply need to send the file to the indexers in an app from the Cluster Master by pushing a cluster bundle.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Updatepeerconfigurations

  • there are certain scenarios where indexers might have outputs to 3rd party systems but thats beyond the scope of this answer
- MattyMo
0 Karma
Reply

rangineniarunku
Explorer
‎07-14-2017 10:05 PM

I want to upload a file that needs to be indexed and make sure it available in all the indexers as we are using clustered environment.

0 Karma
Reply

davidmills
Explorer
‎02-21-2019 05:10 PM

We have a cluster of 3 Search Heads. Does the same still apply. Do we load the file to one of the 3 and index from there?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-15-2017 10:43 AM

The follow the first part of my answer above and add the data from the Search Head.

The Cluster will ensure the data is replicated accordingly.

- MattyMo
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...