Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get multiple Indexers Summary index data into Search head

gajananh999
Contributor
‎04-01-2016 06:29 AM

Hello Guys,

Hope you are all doing well Splunking. Need little help here in 2 things .

1) We have infrastructure like 3 search head, 5 indexers, 1 deployment server , 1 master server and 1 license server.

We would like to index all the _internal logs from all the instances into "New index" and want to search those information on Search Head.

So it will like getting all _internal information at one place.

2) There are summary indexes on each and every instance how should i reindex that data into Indexes so that i can search that into Search head.. So how do i get all summary index data at one place?

Thanks
Gajanan Hiroji

0 Karma
Reply

woodcock
Esteemed Legend
‎04-01-2016 08:07 AM

What is your motivation for such strangeness?

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2016 07:45 AM

If you're using distributed deployment, all your _internal logs from all your nodes should anyways be going to Indexers and they should be searchable from Search Head any ways. The same goes with summary index as well.

If not already configured, setup fowarding on all non-Indexer nodes to send data to your indexer cluster.

Reply

gajananh999
Contributor
‎04-01-2016 09:34 AM

Hey Thanks Soni for the reply. One last question here how will configure Summary_index data from all the Non-indexers to Indexer cluster. Because this data is in Index Not in File.

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2016 10:07 AM

If the Forwarding option is configured correctly, the summary index data would also go to Indexer cluster as well. The summary indexing is also a file monitoring, input definition for which is internal to Splunk. All summary index search results are written to folder $SPLUNK_HOME/var/spool/splunk/ which splunk monitors and forwards to Indexer if distributed search is configured.

0 Karma
Reply

gajananh999
Contributor
‎04-01-2016 11:16 AM

Hello Soni,

Thanks for the reply as i have described we are creating an generic app which can be used in clustered and non clustered environment. So how ill do the same thing in stand alone system.

and i am not aware about forwarding _internal and summary index logs from Non-indexers to the Indexers , Could you please describe this little bit.

Thanks
Gajanan Hiroji

0 Karma
Reply

gajananh999
Contributor
‎04-01-2016 09:36 AM

Hey cook,

We are trying to get all data at one place and trying created an App which will help Splunk administrator in better way on Search Head without going to Each and every Splunk instance.

Thanks
Gajanan Hiroji

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...