I have a problem with the configuration/definition of 2 separate summary indexes for storing data on to 2 separate indexer. Let me try to explain the situation and the problem in detail:
1) I have 2 separate Indexer (2 separate Servers). Lets say Indexer A and Indexer B.
2) I have one Search Head (1 Server) with 2 separate Apps. Lets say App 1 and App 2.
3) In App 1 I want to collect the results of my searches in a „summary index AB“ on Indexer A.
4) In App 2 I want to collect the results of my searches in a „summary index BC“ on Indexer B.
I know that the indexer server’s names can be configured in the output.conf file. However, I do not know how to define server specific summary indexes. That is, how can I configure that the results in App 1 are collected in summary index AB on Index A, and analogously for the results in App 2? As far as I understand, in the inputs.conf you cannot define the name of a summary index. Or am I wrong? I hope my description is understandable…
Your help is very much appreciated!
Many thanks for your answer. We tried your proposal, however, it does not work. Do we have to consider something special when executing the collect statement? Or something when configuring the summary index? We do not receive any error message.
Generally, we wonder how other apps handle it? We basically just want to collect the results of an app into a specific summary index. And the search head with the app is connecting to different indexer.
Again, thanks for your appreciated help!
This is very un-usual requirement that you've here. One option that might work would to have a props/transform setting that will override the TCP routing to specific indexers. The props/transforms will not have any reference to apps and summary indexing will have same host and sourcetype, so you'd need to override the TCP routing based on source which is the name of the summary index search. So what you need to do is to ensure that all summary index search from App1 should have same prefix (so that you don't have to update configuration every time you add a new search) and all summary index search from App2 should have same prefix which is different from App1's preefix. Lets say the prefix you chose is Prefix1 and Prefix2, then try something like this on your search head.
[tcpout] defaultGroup=allIndexers [tcpout:allIndexers] server=<indexer1_ip>:<port>, <indexer2_ip>:<port> [tcpout:indexer1] server=<indexer1_ip>:<port> [tcpout:indexer2] server=<indexer2_ip>:<port>
[source::Prefix1...] TRANSFORMS-sendIdx1= sendToIndexer1 [source::Prefix2...] TRANSFORMS-sendIdx2= sendToIndexer2
[sendToIndexer1] DEST_KEY=_TCP_ROUTING FORMAT=indexer1 [sendToIndexer2] DEST_KEY=_TCP_ROUTING FORMAT=indexer2