Getting Data In
Highlighted

Summary Indexing in distributed Splunk servers

Path Finder

Hi sir/ma'am

I have a 8 servers with splunk and splunkforwarder

Server 1 - indexer1 ( with Splunk )
Server 2 - indexer2 ( with Splunk )
Server 3 - indexer3 ( with Splunk )
Server 4 - indexer4 ( with Splunk )
server 5 - indexer5 ( with Splunk )
server 6 - Logs Server ( with Splunk forwarder and syslog-ng)
server 7 - search head ( with Splunk )
server 8 - summary indexing ( with Splunk )

And now this is my set-up on

Logs Server are now sending logs with the 5 indexer2
and
the the search head are now configured the listen into the 5 indexers using search peer in splunk and its working..

Now my question is

How i can set-up a summary indexing with my summary indexing server? that can search my created index in summary indexing server into my search head server

i tried my own set-up but i not quiet sure if i am right

this is my set-up

in summary indexing server i create search peer located at distributed search listening to the 5 indexing server and now i can view the logs came from the indexing servers and also i create a new index named sample_summary and also a create a search with summary indexing enable pointed with my new created index and now i check my created index and now it have a data.

so next step is to check into search head and its now searchable i used this kind of search string

( splunkserver="xxx-xxxxx" index=samplesummary )

Thats my current set-up

Let e know if i need to elaborate my question more

thanks and best regards

Cris


Sorry with my little poor English ^_^

Tags (2)
0 Karma
Highlighted

Re: Summary Indexing in distributed Splunk servers

Legend

What is the actual question? You have a current setup. Is it working as you want?

0 Karma
Highlighted

Re: Summary Indexing in distributed Splunk servers

Path Finder

Thanks for the reply and your time

About with my current set-up it's working but i am not sure if that was right.

Now the question is!

I want to view or search my created index form summary indexing server into my search head server.

so i am asking if there is a another way to do it?

Thanks again!

Regards
Cris

0 Karma
Highlighted

Re: Summary Indexing in distributed Splunk servers

Splunk Employee
Splunk Employee

Note that for the summary indexed data to be visible to the other search heads, you'll have to set up server 8 to send its data back to the indexers. This means that it has an outputs.conf just like the forwarder system, listing all five indexers. Furthermore, you'll need some additional data in outputs.conf to direct Splunk (on server8) to index nothing locally:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

[indexAndForward]
index = false

While the entries missing a right hand side (nothing to the right of the equals sign 😃 may be confusing, those are used to clear a default setting, by emptying the setting.

Highlighted

Re: Summary Indexing in distributed Splunk servers

Path Finder

@ Sowings

Thanks for the reply and into your time

Is this the same with distributed search located at manager tab?

Because my current set-up is
I set this set-up using distributed search located at mangers tab

Search Head Server search peer i add the 5 indexing servers

xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Summary Indexing Server

Summary indexing Server Also i add a search peer
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server
xx.xxx.xxx.xx:8089 Indexer Server

And now i need to save a search and enable it the summary indexing and choose my created sample index and set schedule and save it using summary indexing server

after a hour to check if the date already save with my created sample indexes the search head server will do that using this search string ( splunkserver=* index=sampleindexes ) and now i can view the consisting data that i created on my summary indexing server and now i can now used my created indexes from my summary indexing server to create a dashboard.

and now i am asking this is right or i am just wasting my time?

Thanks and regards
Cris

Please don't hesitate to ask me if i need to elaborate more my question

Thanks thanks

0 Karma