Solved: How to index summary indexes on a Search Head loca...

Jason · ‎03-31-2011

Does anyone have any config pointers for the following scenario:

We have a Search Head, and it runs apps that generate summary index data. We would like it to store its summary indexes locally. But, it is also collecting other data (say, scripted inputs from the UNIX app), and we want to send this other (non-summary, license-using) data to the indexer. How to do this?

Jason · ‎04-15-2011

Evidently in 4.2 the index forwarding is much more granular.

Per the docs, you can specify exactly which indexes get forwarded in outputs.conf.

Defaults:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit

Forward all but indexes starting with Summary:

[tcpout]
forwardedindex.0.blacklist = summary.*
forwardedindex.1.whitelist = .*
forwardedindex.2.blacklist = _.*
forwardedindex.3.whitelist = _audit

View solution in original post

Jason · ‎04-15-2011

Evidently in 4.2 the index forwarding is much more granular.

Per the docs, you can specify exactly which indexes get forwarded in outputs.conf.

Defaults:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit

Forward all but indexes starting with Summary:

[tcpout]
forwardedindex.0.blacklist = summary.*
forwardedindex.1.whitelist = .*
forwardedindex.2.blacklist = _.*
forwardedindex.3.whitelist = _audit

How to index summary indexes on a Search Head locally, and forward all other data to the indexer?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!