Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Summary Indexing in SH pooling

amalraj
New Member
‎06-26-2012 12:35 PM

We are having the following instances in our environment.
3 SH
2 IND
All the 3 SHs are in SH pooling. We disabled scheduling activities in SH1 and SH2 and enabled only in SH3(i.e making SH3 ad Job server).So summary indexing happens only in SH3.

Created sample index "test" in SH1 and scheduled a search for summary indexing in that index.

Since the scheduler activities are done in SH3, when i login into SH3 it is showing "receive event for unconfigured/disabled index="test".

How can we use summary indexing in this scenario?

Tags (1)
0 Karma
Reply

SarahWKarvenz
Path Finder
‎07-06-2012 01:10 PM

With summary indexes and a distributed search model, there are two files that come in to play, the distributedsearch.conf and the outputs.conf files. In your scenario SH3, which runs the summary index populating search, needs to be able to search over Indexer1 and Indexer2 - these belong in the distributedsearch.conf. In order to "save" the results into the summary index, the SH3 needs to be able to put the results somewhere. This is configured in the outputs.conf file for SH3. If you want the results to be saved back on Indexer1 and Indexer2, you will need to put those in the outputs.conf. If you want to keep the summary index data on SH3 then you need to create that "test" index on SH3 (and also allow the other search heads to search SH3).

One point of note...when we were setting up our SH3 to output summary index data to Indexer1 and Indexer2 but did not have the index existing on SH3, we were unable to save the summary index populating search through the GUI - we had to do that directly through the savedsearches.conf file.

Reply

mikelanghorst
Motivator
‎07-03-2012 11:23 PM

Why do you have the test index on SH1? Is SH3 configured to search against SH1 as a peer? I think the index needs to exist on SH3, even if the data will actually reside elsewhere.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...