Getting Data In

Should a summary index be created on both Search Head and Indexer?

Contributor

I created a new index (test_summary) in the Indexer for storing summary data.

Then I created a new report in Search Head and enabled it for Summary Indexing. At the time of enabling, you normally have to pick your summary index from "Select the Summary Index" drop-down. The drop-down was showing the new index (test_summary) that created in the Indexer.

When the summary job was triggered out of the report, I started seeing error message in the Search Head saying:

test_summary index was either disabled/deleted or does not exist

Do we need to create the index in the Search Head as well? I don't think we would want to maintain the summary indexed data on the Search Head.

Any advice?

1 Solution

SplunkTrust
SplunkTrust

Hi jagadeeshm,

It might sound strange, but yes you need to add the index to the search head as well.

Don't worry about storing data on the search head, because if you setup data forwarding on your search head and tell Splunk just to forward the local event and not to store it you will have no local summary data on the search head.

See the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/Forwardsearchheaddata about the best practice to forward logs from search heads to the indexers. The option indexAndForward = false is the one which prevents Splunk from keeping a local copy of your events.

Hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi jagadeeshm,

It might sound strange, but yes you need to add the index to the search head as well.

Don't worry about storing data on the search head, because if you setup data forwarding on your search head and tell Splunk just to forward the local event and not to store it you will have no local summary data on the search head.

See the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/Forwardsearchheaddata about the best practice to forward logs from search heads to the indexers. The option indexAndForward = false is the one which prevents Splunk from keeping a local copy of your events.

Hope this helps ...

cheers, MuS

View solution in original post

Contributor

@MuS - Thanks for the quick reply. Yes, it is a bit strange that it shows the index created on the Indexer in the Search Head dropdown but doesn't actually store in there. Is this the most common and best approach to create Summary Indexes?

0 Karma

Contributor

I created the outputs.conf here - /opt/splunk/etc/apps/SplunkForwarder/local. Is this correct?

0 Karma

Contributor

Where am I saying that forward events of test_summary ony?

0 Karma

SplunkTrust
SplunkTrust

If you only want to forward events for the summary index, you need to apply some route and filtering http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad but why would you do that? Forward everything, specially the _internal events you will need them in case of troubleshooting 😉

0 Karma

Contributor

If I set a forwarder NOW, will it forward EVERYTHING from Search Head to the Indexer? Or is it only for the events moving forward?

0 Karma

SplunkTrust
SplunkTrust

You will get the internal and summary from the moment you enable the forwarding on the search heads. What are your concerns? It will not effect your license usage, since internal logs and summary event do not count against your license usage.

0 Karma

Contributor

I am not worried about the license. As soon as I created the testsummary index on the Search Head I started seeing the summary data in there. I was wondering now that I enabled forwarding on the Search Head, will it forward everything from the testsummary index from the Search Head to the Indexer or is it just for the events moving forward only?

0 Karma

SplunkTrust
SplunkTrust

As I said, it will not create anything on the search head in the summary index - all events are forwarded to the indexers.

0 Karma

Contributor

Another question - Summary Indexing doesn't take up license usage. But when this data is forwarded to the Indexer, does it take up additional usage? That will be REALLY bad!

0 Karma

SplunkTrust
SplunkTrust

Please accept this answer if it solved your problem - thanks 🙂

0 Karma

Contributor

My summary index is configured to run every hour and summarize the data the hours before. Like described in the document, I have the forwarding enabled in the Search Head for all events.

However, my events in the summary index on the indexer are at least 4 hours behind.

How to debug this situation further?

0 Karma

Contributor

Before the forwarding was enabled, my scheduled Report for summarizing ran twice and i had events sitting in the Search Head. After the forwarding was set-up, it looks like new events are being forwarded to the Indexer, but how can I get the exiting ones also into the Indexer?

0 Karma

SplunkTrust
SplunkTrust

No, summary index events do not count against the license usage - from the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configuresummaryindexes :

Summary indexing volume is not counted against your license, even if you have several summary indexes. In the event of a license violation, summary indexing will halt like any other non-internal search behavior.
0 Karma

Contributor

Perfect, Thanks!

0 Karma

Contributor

I enabled the forwarding like I mentioned in the doc, but I don't see my events flowing to Indexer...what is the best way to validate this ?

0 Karma