I have a 8 servers with splunk and splunkforwarder
Server 1 - indexer1 ( with Splunk )
Server 2 - indexer2 ( with Splunk )
Server 3 - indexer3 ( with Splunk )
Server 4 - indexer4 ( with Splunk )
server 5 - indexer5 ( with Splunk )
server 6 - Logs Server ( with Splunk forwarder and syslog-ng)
server 7 - search head ( with Splunk )
server 8 - summary indexing ( with Splunk )
And now this is my set-up on
Logs Server are now sending logs with the 5 indexer2
the the search head are now configured the listen into the 5 indexers using search peer in splunk and its working..
Now my question is
How i can set-up a summary indexing with my summary indexing server? that can search my created index in summary indexing server into my search head server
i tried my own set-up but i not quiet sure if i am right
this is my set-up
in summary indexing server i create search peer located at distributed search listening to the 5 indexing server and now i can view the logs came from the indexing servers and also i create a new index named sample_summary and also a create a search with summary indexing enable pointed with my new created index and now i check my created index and now it have a data.
so next step is to check into search head and its now searchable i used this kind of search string
( splunkserver="xxx-xxxxx" index=samplesummary )
Thats my current set-up
Let e know if i need to elaborate my question more
thanks and best regards
Sorry with my little poor English ^_^
Thanks for the reply and your time
About with my current set-up it's working but i am not sure if that was right.
Now the question is!
I want to view or search my created index form summary indexing server into my search head server.
so i am asking if there is a another way to do it?
Note that for the summary indexed data to be visible to the other search heads, you'll have to set up server 8 to send its data back to the indexers. This means that it has an outputs.conf just like the forwarder system, listing all five indexers. Furthermore, you'll need some additional data in outputs.conf to direct Splunk (on server8) to index nothing locally:
[tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = forwardedindex.2.whitelist = [indexAndForward] index = false
While the entries missing a right hand side (nothing to the right of the equals sign 😃 may be confusing, those are used to clear a default setting, by emptying the setting.
Thanks for the reply and into your time
Is this the same with distributed search located at manager tab?
Because my current set-up is
I set this set-up using distributed search located at mangers tab
Search Head Server search peer i add the 5 indexing servers
xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Summary Indexing Server Summary indexing Server Also i add a search peer xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server xx.xxx.xxx.xx:8089 Indexer Server
And now i need to save a search and enable it the summary indexing and choose my created sample index and set schedule and save it using summary indexing server
after a hour to check if the date already save with my created sample indexes the search head server will do that using this search string ( splunkserver=* index=sampleindexes ) and now i can view the consisting data that i created on my summary indexing server and now i can now used my created indexes from my summary indexing server to create a dashboard.
and now i am asking this is right or i am just wasting my time?
Thanks and regards
Please don't hesitate to ask me if i need to elaborate more my question