- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to add an index to a search head and keep ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a search head that communicates with 3 non-clustered indexers ( autolb distribution of data). Indexed data is distributed evenly across all three indexers.
Now I need to add a remote indexer to the search head but I don't want to add it to the other indexers group. It needs to be separate because the remote indexer is managed by someone else. However I need it to communicate to my search head so I can monitor the data contained in that remote indexer.
How would I set this up?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume, you want your search head to 'search' the data/logs in the newly added indexer. If so, you can add that just like the other indexers via dist search
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuredistributedsearch
https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Distsearchconf
On the forwarder level, where you define tcpout group, you can decide what logs/data needs to go to new indexer or the old indexers [ 3 non-clustered one].
Do you see any issues with this approach?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume, you want your search head to 'search' the data/logs in the newly added indexer. If so, you can add that just like the other indexers via dist search
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuredistributedsearch
https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Distsearchconf
On the forwarder level, where you define tcpout group, you can decide what logs/data needs to go to new indexer or the old indexers [ 3 non-clustered one].
Do you see any issues with this approach?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I guess in my environment I just need to add the indexer as a "search peer" just wanted to make sure that something was not accidentally created where the remote indexer was auto added/joined to the others in an autolb fashion. But it does not.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
