Knowledge Management

How to get multiple Indexers Summary index data into Search head

gajananh999
Contributor

Hello Guys,

Hope you are all doing well Splunking. Need little help here in 2 things .

1) We have infrastructure like 3 search head, 5 indexers, 1 deployment server , 1 master server and 1 license server.

We would like to index all the _internal logs from all the instances into "New index" and want to search those information on Search Head.

So it will like getting all _internal information at one place.

2) There are summary indexes on each and every instance how should i reindex that data into Indexes so that i can search that into Search head.. So how do i get all summary index data at one place?

Thanks
Gajanan Hiroji

0 Karma

woodcock
Esteemed Legend

What is your motivation for such strangeness?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you're using distributed deployment, all your _internal logs from all your nodes should anyways be going to Indexers and they should be searchable from Search Head any ways. The same goes with summary index as well.

If not already configured, setup fowarding on all non-Indexer nodes to send data to your indexer cluster.

gajananh999
Contributor

Hey Thanks Soni for the reply. One last question here how will configure Summary_index data from all the Non-indexers to Indexer cluster. Because this data is in Index Not in File.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the Forwarding option is configured correctly, the summary index data would also go to Indexer cluster as well. The summary indexing is also a file monitoring, input definition for which is internal to Splunk. All summary index search results are written to folder $SPLUNK_HOME/var/spool/splunk/ which splunk monitors and forwards to Indexer if distributed search is configured.

0 Karma

gajananh999
Contributor

Hello Soni,

Thanks for the reply as i have described we are creating an generic app which can be used in clustered and non clustered environment. So how ill do the same thing in stand alone system.

and i am not aware about forwarding _internal and summary index logs from Non-indexers to the Indexers , Could you please describe this little bit.

Thanks
Gajanan Hiroji

0 Karma

gajananh999
Contributor

Hey cook,

We are trying to get all data at one place and trying created an App which will help Splunk administrator in better way on Search Head without going to Each and every Splunk instance.

Thanks
Gajanan Hiroji

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...