Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Summary Indexing in SH pooling

amalraj
New Member
‎06-26-2012 12:35 PM

We are having the following instances in our environment.
3 SH
2 IND
All the 3 SHs are in SH pooling. We disabled scheduling activities in SH1 and SH2 and enabled only in SH3(i.e making SH3 ad Job server).So summary indexing happens only in SH3.

Created sample index "test" in SH1 and scheduled a search for summary indexing in that index.

Since the scheduler activities are done in SH3, when i login into SH3 it is showing "receive event for unconfigured/disabled index="test".

How can we use summary indexing in this scenario?

Tags (1)
0 Karma
Reply

SarahWKarvenz
Path Finder
‎07-06-2012 01:10 PM

With summary indexes and a distributed search model, there are two files that come in to play, the distributedsearch.conf and the outputs.conf files. In your scenario SH3, which runs the summary index populating search, needs to be able to search over Indexer1 and Indexer2 - these belong in the distributedsearch.conf. In order to "save" the results into the summary index, the SH3 needs to be able to put the results somewhere. This is configured in the outputs.conf file for SH3. If you want the results to be saved back on Indexer1 and Indexer2, you will need to put those in the outputs.conf. If you want to keep the summary index data on SH3 then you need to create that "test" index on SH3 (and also allow the other search heads to search SH3).

One point of note...when we were setting up our SH3 to output summary index data to Indexer1 and Indexer2 but did not have the index existing on SH3, we were unable to save the summary index populating search through the GUI - we had to do that directly through the savedsearches.conf file.

Reply

mikelanghorst
Motivator
‎07-03-2012 11:23 PM

Why do you have the test index on SH1? Is SH3 configured to search against SH1 as a peer? I think the index needs to exist on SH3, even if the data will actually reside elsewhere.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...