Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summary Indexing in SH pooling

amalraj
New Member
‎06-26-2012 12:35 PM

We are having the following instances in our environment.
3 SH
2 IND
All the 3 SHs are in SH pooling. We disabled scheduling activities in SH1 and SH2 and enabled only in SH3(i.e making SH3 ad Job server).So summary indexing happens only in SH3.

Created sample index "test" in SH1 and scheduled a search for summary indexing in that index.

Since the scheduler activities are done in SH3, when i login into SH3 it is showing "receive event for unconfigured/disabled index="test".

How can we use summary indexing in this scenario?

Tags (1)
0 Karma
Reply

SarahWKarvenz
Path Finder
‎07-06-2012 01:10 PM

With summary indexes and a distributed search model, there are two files that come in to play, the distributedsearch.conf and the outputs.conf files. In your scenario SH3, which runs the summary index populating search, needs to be able to search over Indexer1 and Indexer2 - these belong in the distributedsearch.conf. In order to "save" the results into the summary index, the SH3 needs to be able to put the results somewhere. This is configured in the outputs.conf file for SH3. If you want the results to be saved back on Indexer1 and Indexer2, you will need to put those in the outputs.conf. If you want to keep the summary index data on SH3 then you need to create that "test" index on SH3 (and also allow the other search heads to search SH3).

One point of note...when we were setting up our SH3 to output summary index data to Indexer1 and Indexer2 but did not have the index existing on SH3, we were unable to save the summary index populating search through the GUI - we had to do that directly through the savedsearches.conf file.

Reply

mikelanghorst
Motivator
‎07-03-2012 11:23 PM

Why do you have the test index on SH1? Is SH3 configured to search against SH1 as a peer? I think the index needs to exist on SH3, even if the data will actually reside elsewhere.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...