Is there a way to include more than one indexer for scheduled searches that write to a summary index?
The scheduled search UI does not have it. I am not sure if this can be done via Splunk config stanza....
Thanks,
Lp
It is a Splunk best practice to send the Summary Index
data (and all other data) to the Indexer tier (by default it goes to the Search Head). You must configure outputs.conf
and indexes.conf
as described here:
https://docs.splunk.com/Documentation/Splunk/6.5.2/DistSearch/Forwardsearchheaddata
You may want to look here.
TLDR: You'll need to forward your data from your search head to your indexers.
https://answers.splunk.com/answers/8613/distributed-summary-indexing-from-search-head.html
Thanks.
How can you assure that it will not go to the license quote?
More information here. Just make sure the search that is generating the results a summary search.
What about if I do not have a cluster. Will it still work?
Thanks.
Lp
So you have a single search head and single indexer?
And to answer that: Yes, you can.
I have a search head multiple indexers.
Yep. You should be good. Again, just make sure the search you're running is a summary search.
It's summarized data. Make sure you've got a summary index created on your index cluster.
What do you mean by push to more than one indexer, load balance the whole data to multiple indexers (which it should be doing if your search head has appropriate outputs.conf configuration) OR replicate whole data to multiple indexers?