Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get multiple Indexers Summary index data into Search head

gajananh999
Contributor
‎04-01-2016 06:29 AM

Hello Guys,

Hope you are all doing well Splunking. Need little help here in 2 things .

1) We have infrastructure like 3 search head, 5 indexers, 1 deployment server , 1 master server and 1 license server.

We would like to index all the _internal logs from all the instances into "New index" and want to search those information on Search Head.

So it will like getting all _internal information at one place.

2) There are summary indexes on each and every instance how should i reindex that data into Indexes so that i can search that into Search head.. So how do i get all summary index data at one place?

Thanks
Gajanan Hiroji

0 Karma
Reply

woodcock
Esteemed Legend
‎04-01-2016 08:07 AM

What is your motivation for such strangeness?

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2016 07:45 AM

If you're using distributed deployment, all your _internal logs from all your nodes should anyways be going to Indexers and they should be searchable from Search Head any ways. The same goes with summary index as well.

If not already configured, setup fowarding on all non-Indexer nodes to send data to your indexer cluster.

Reply

gajananh999
Contributor
‎04-01-2016 09:34 AM

Hey Thanks Soni for the reply. One last question here how will configure Summary_index data from all the Non-indexers to Indexer cluster. Because this data is in Index Not in File.

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2016 10:07 AM

If the Forwarding option is configured correctly, the summary index data would also go to Indexer cluster as well. The summary indexing is also a file monitoring, input definition for which is internal to Splunk. All summary index search results are written to folder $SPLUNK_HOME/var/spool/splunk/ which splunk monitors and forwards to Indexer if distributed search is configured.

0 Karma
Reply

gajananh999
Contributor
‎04-01-2016 11:16 AM

Hello Soni,

Thanks for the reply as i have described we are creating an generic app which can be used in clustered and non clustered environment. So how ill do the same thing in stand alone system.

and i am not aware about forwarding _internal and summary index logs from Non-indexers to the Indexers , Could you please describe this little bit.

Thanks
Gajanan Hiroji

0 Karma
Reply

gajananh999
Contributor
‎04-01-2016 09:36 AM

Hey cook,

We are trying to get all data at one place and trying created an App which will help Splunk administrator in better way on Search Head without going to Each and every Splunk instance.

Thanks
Gajanan Hiroji

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...