Hello,
For the internal indexes of the search head, should we send them to be stored on the indexers? If so, can we send them to both indexers without them being in a cluster?
Additionally, I have installed the add-on on the search head, and the index where the collected data is stored is located on the search head at the following path: /opt/splunk/etc/apps/search/local/indexes.conf. How can I direct this index to both indexers that are not in a cluster?
Hi @BRFZ ,
forwarding to Indexers is configured at global level, you don't need to add nothing to this ingestion.
Check if these ogs are in the correct splunk_server.
ciao.
Giuseppe
Hi @BRFZ ,
it's a best practice to forward all internal logs from Splunk servers to Indexers and not having a local indexing.
Ciao.
Giuseppe
Could you help me with how to do this in the case where there are two indexers that are not in a cluster please?
Clustering is an internal thing of the indexers from the source's (in this case your search head's) point of view it doesn't matter. You just set the output group to both your indexers and you're good. If your indexers were clustered they'd replicate the incoming data among themselves. When they're not clustered only the one directly receiving event will hold it.
Hi @BRFZ ,
you have to go in [Settings > Forwarding and Receiving > Forwarding ] of your SHs and configure the forwarding of all logs to your indexers, inserting both your indexers.
This activity should be done on all your Splunk Servers except Indexers themselves (e.g. also on Deployment Server, if you have).
If you have not clustered indexers , it's the same thing in forwarding, obviously, if one of them is down, you'll have in your searches half of data.
Ciao.
Giuseppe
Thank you for your response. Could you help me with the second problem ?
I have installed the add-on on the Search Head, and the index where the collected data is stored is located on the search head at the following path : '/opt/splunk/etc/apps/search/local/indexes.conf'
How can I direct this index to both indexers that are not in a cluster ?
Hi @BRFZ ,
let me understand: are you using the SH to collect events?
this isn't a best practice.
Anyway, if you are forwarding events from the SH to the indexers, you should be ok.
Ciao.
Giuseppe
Yes, I installed an aadd-on on the search head, and I intend to send the data to the indexers for storage. However, the index was stored in this path /opt/splunk/etc/apps/search/local/indexers.conf instead of /opt/splunk/etc/system, so I don't see where I can configure the outputs to send the data.
Hi @BRFZ ,
forwarding to Indexers is configured at global level, you don't need to add nothing to this ingestion.
Check if these ogs are in the correct splunk_server.
ciao.
Giuseppe