Can I store data at the index layer so isolated se...

brent_weaver · ‎08-29-2017

I am building up Splunk content for our product in Splunk. I am building a dashboard to count events, which are many. I want to use kvstore to store this info and then have the app use the lookup to get this data. I have played a bit with kvstore and do understand how to do this but need advice on setup.

We have multiple search heads, how do I store the data at the index layer so the other [isolated] search heads can access them without having the query running locally? It seems that I can enable replication?

What config files do I need to setup? Seems that I need to do collections.conf and transforms.conf. Is this correct?

I assume I can store a field as time/date?

Any help/advice is welcome!

markusspitzli2 · ‎08-31-2017

yes. you have to create a new summary index and store the data in it. every searchhead should be abe to access the data and create its own lookupfile if you want.

brent_weaver · ‎08-31-2017

I am not opposed to that but then I need to create the summary index right?

markusspitzli2 · ‎08-31-2017

hey.
why not store the events in a summary index instead of the kvstore?

Can I store data at the index layer so isolated search heads can access it?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!