Getting Data In

After creating a new index on the master and distributing it to the peer nodes, why do I not see the new index on my heavy forwarder?

Explorer

Hey all,

My setup consist of 1 search head, master, 4 peer nodes. I'm using a heavy forwarder to get data in. I've created a new index on the master and distributed it to the peer nodes.. My question is when I go onto the heavy forwarder to add a data.. I don't see the new index lists as an option. Am I supposed to manually create it on the heavy forwarder as well?

Thanks so much

1 Solution

Path Finder

Only if the instance is a member of the cluster will the indexes be visible on the heavy forwarder. Sadly, there is no explicit configuration to add Heavy Forwarders to the cluster. This means that you can either setup a clustered search head to perform this forwarding function (forwarding to the indexer), or yes, create the index manually on HF, which is identically named to your search peer (aka indexer index). In both cases just make sure you do not maintain local copies of the data and forward the data to the search peers.

View solution in original post

Builder
  1. From cluster master you can push configuration to cluster peers only, not to the forwarders.
  2. If you want to configure the forwarder to send the data to particular index on cluster-peers, use one of the following methods a) use deployment server (app with inputs.conf file) OR b) create inputs.conf file in the forwarder to read the data from souce and restart OR c) use the following command to add the input files For continuous monitor the file: ./splunk add monitor -index [ -sourcetype ] For adding file one time only : ./splunk add oneshot -index [ -sourcetype ]

If you want to send the data to cluster-peers (the index is created on cluster) from any forwarder, you no need to create index in the heavy forwarder since the data is finally indexed in cluster peers. Incase if you want to index the data in heavy forwarder too in addition to cluster, then you have to create the index in heavy forwarder manually or use deployment server or create from CLI command or manual put in indexes.conf file

let me know if you need any more clarification.

Contributor

Yayannah,
It's been several years, but your post is still valuable:
If you want to configure the forwarder to send the data to particular index on cluster-peers, use one of the following methods
a) use deployment server (app with inputs.conf file) OR
b) create inputs.conf file in the forwarder to read the data from souce and restart OR
c) use the following command to add the input files
For continuous monitor the file: ./splunk add monitor -index [ -sourcetype ] For adding file one time only : ./splunk add oneshot -index [ -sourcetype ]

Let's say I have a server playing both role DS and Cluster Master, indexes created on this box. Data is being sent to a HF, then ends up in 7 peer nodes.
Log file: log123.log
Sourcetype: networksource
Monitoring type: continuously
I'd like to assign this data source to index IDX123 created in the DS/CM server.
Would you please give details on which server to run which command?

Thank you,

0 Karma

Path Finder

Only if the instance is a member of the cluster will the indexes be visible on the heavy forwarder. Sadly, there is no explicit configuration to add Heavy Forwarders to the cluster. This means that you can either setup a clustered search head to perform this forwarding function (forwarding to the indexer), or yes, create the index manually on HF, which is identically named to your search peer (aka indexer index). In both cases just make sure you do not maintain local copies of the data and forward the data to the search peers.

View solution in original post

Explorer

thank you!

0 Karma