Hope you are all doing well Splunking. Need little help here in 2 things .
1) We have infrastructure like 3 search head, 5 indexers, 1 deployment server , 1 master server and 1 license server.
We would like to index all the _internal logs from all the instances into "New index" and want to search those information on Search Head.
So it will like getting all _internal information at one place.
2) There are summary indexes on each and every instance how should i reindex that data into Indexes so that i can search that into Search head.. So how do i get all summary index data at one place?
If you're using distributed deployment, all your _internal logs from all your nodes should anyways be going to Indexers and they should be searchable from Search Head any ways. The same goes with summary index as well.
If not already configured, setup fowarding on all non-Indexer nodes to send data to your indexer cluster.
If the Forwarding option is configured correctly, the summary index data would also go to Indexer cluster as well. The summary indexing is also a file monitoring, input definition for which is internal to Splunk. All summary index search results are written to folder $SPLUNK_HOME/var/spool/splunk/ which splunk monitors and forwards to Indexer if distributed search is configured.
Thanks for the reply as i have described we are creating an generic app which can be used in clustered and non clustered environment. So how ill do the same thing in stand alone system.
and i am not aware about forwarding _internal and summary index logs from Non-indexers to the Indexers , Could you please describe this little bit.
We are trying to get all data at one place and trying created an App which will help Splunk administrator in better way on Search Head without going to Each and every Splunk instance.