Re: Summary Indexing in SH pooling

amalraj · ‎06-26-2012

We are having the following instances in our environment.
3 SH
2 IND
All the 3 SHs are in SH pooling. We disabled scheduling activities in SH1 and SH2 and enabled only in SH3(i.e making SH3 ad Job server).So summary indexing happens only in SH3.

Created sample index "test" in SH1 and scheduled a search for summary indexing in that index.

Since the scheduler activities are done in SH3, when i login into SH3 it is showing "receive event for unconfigured/disabled index="test".

How can we use summary indexing in this scenario?

SarahWKarvenz · ‎07-06-2012

With summary indexes and a distributed search model, there are two files that come in to play, the distributedsearch.conf and the outputs.conf files. In your scenario SH3, which runs the summary index populating search, needs to be able to search over Indexer1 and Indexer2 - these belong in the distributedsearch.conf. In order to "save" the results into the summary index, the SH3 needs to be able to put the results somewhere. This is configured in the outputs.conf file for SH3. If you want the results to be saved back on Indexer1 and Indexer2, you will need to put those in the outputs.conf. If you want to keep the summary index data on SH3 then you need to create that "test" index on SH3 (and also allow the other search heads to search SH3).

One point of note...when we were setting up our SH3 to output summary index data to Indexer1 and Indexer2 but did not have the index existing on SH3, we were unable to save the summary index populating search through the GUI - we had to do that directly through the savedsearches.conf file.

mikelanghorst · ‎07-03-2012

Why do you have the test index on SH1? Is SH3 configured to search against SH1 as a peer? I think the index needs to exist on SH3, even if the data will actually reside elsewhere.

Summary Indexing in SH pooling

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes