@MuS - Thanks for the quick reply. Yes, it is a bit strange that it shows the index created on the Indexer in the Search Head dropdown but doesn't actually store in there. Is this the most common and best approach to create Summary Indexes?

I created the outputs.conf here - /opt/splunk/etc/apps/SplunkForwarder/local. Is this correct?

Where am I saying that forward events of test_summary ony?

If you only want to forward events for the summary index, you need to apply some route and filtering http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad but why would you do that? Forward everything, specially the _internal events you will need them in case of troubleshooting 😉

If I set a forwarder NOW, will it forward EVERYTHING from Search Head to the Indexer? Or is it only for the events moving forward?

You will get the internal and summary from the moment you enable the forwarding on the search heads. What are your concerns? It will not effect your license usage, since internal logs and summary event do not count against your license usage.

I am not worried about the license. As soon as I created the test_summary index on the Search Head I started seeing the summary data in there. I was wondering now that I enabled forwarding on the Search Head, will it forward everything from the test_summary index from the Search Head to the Indexer or is it just for the events moving forward only?

As I said, it will not create anything on the search head in the summary index - all events are forwarded to the indexers.

Another question - Summary Indexing doesn't take up license usage. But when this data is forwarded to the Indexer, does it take up additional usage? That will be REALLY bad!

Please accept this answer if it solved your problem - thanks 🙂

My summary index is configured to run every hour and summarize the data the hours before. Like described in the document, I have the forwarding enabled in the Search Head for all events.

However, my events in the summary index on the indexer are at least 4 hours behind.

How to debug this situation further?

Before the forwarding was enabled, my scheduled Report for summarizing ran twice and i had events sitting in the Search Head. After the forwarding was set-up, it looks like new events are being forwarded to the Indexer, but how can I get the exiting ones also into the Indexer?

No, summary index events do not count against the license usage - from the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configuresummaryindexes :

Summary indexing volume is not counted against your license, even if you have several summary indexes. In the event of a license violation, summary indexing will halt like any other non-internal search behavior.

Perfect, Thanks!

I enabled the forwarding like I mentioned in the doc, but I don't see my events flowing to Indexer...what is the best way to validate this ?