Getting Data In

How to mirror a summary index without cluster or distributed search?

kurdbahr
Path Finder

I have a standalone server (6.1.x) running some scheduled searches to consolidate data from multiple large sources into one summary index.
Now I would like to make this summary data simultaneously available on an other standalone server (6.2.x) without setting up a cluster or distributed search.

My current idea is to set up a script action for the scheduled searches that copies the stash files to a network share where it is then read by the other indexer.
Any better ideas?
Is it possible to forward the summary data to the other server?
Maybe by configuring TCP_ROUTING for the "stash" sourcetype in inputs.conf?

1 Solution

kurdbahr
Path Finder

After some hours of digging through the docs this seems to be a working configuration:

etc/system/local/props.conf:

[stash_new]
TRANSFORMS-my_routing_class=my_summary_routing

etc/system/local/transforms.conf:

[my_summary_routing]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_TCP_ROUTING
REGEX=my_summary_index
FORMAT=my_remote_group

etc/system/local/outputs.conf:

[tcpout]
defaultGroup=my_non_existing_group
indexAndForward=true

[tcpout:my_remote_group]
server=192.168.178.31:9996

View solution in original post

kurdbahr
Path Finder

After some hours of digging through the docs this seems to be a working configuration:

etc/system/local/props.conf:

[stash_new]
TRANSFORMS-my_routing_class=my_summary_routing

etc/system/local/transforms.conf:

[my_summary_routing]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_TCP_ROUTING
REGEX=my_summary_index
FORMAT=my_remote_group

etc/system/local/outputs.conf:

[tcpout]
defaultGroup=my_non_existing_group
indexAndForward=true

[tcpout:my_remote_group]
server=192.168.178.31:9996
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...