Knowledge Management

how do you configure the search head so it sends 2 summary index data to 2 separate indexer

gmenghini
New Member

I have a problem with the configuration/definition of 2 separate summary indexes for storing data on to 2 separate indexer. Let me try to explain the situation and the problem in detail:

1) I have 2 separate Indexer (2 separate Servers). Lets say Indexer A and Indexer B.
2) I have one Search Head (1 Server) with 2 separate Apps. Lets say App 1 and App 2.
3) In App 1 I want to collect the results of my searches in a „summary index AB“ on Indexer A.
4) In App 2 I want to collect the results of my searches in a „summary index BC“ on Indexer B.

I know that the indexer server’s names can be configured in the output.conf file. However, I do not know how to define server specific summary indexes. That is, how can I configure that the results in App 1 are collected in summary index AB on Index A, and analogously for the results in App 2? As far as I understand, in the inputs.conf you cannot define the name of a summary index. Or am I wrong? I hope my description is understandable…

Your help is very much appreciated!

0 Karma

gmenghini
New Member

Hi Somesoni2

Many thanks for your answer. We tried your proposal, however, it does not work. Do we have to consider something special when executing the collect statement? Or something when configuring the summary index? We do not receive any error message.

Generally, we wonder how other apps handle it? We basically just want to collect the results of an app into a specific summary index. And the search head with the app is connecting to different indexer.

Again, thanks for your appreciated help!

Best regards

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This is very un-usual requirement that you've here. One option that might work would to have a props/transform setting that will override the TCP routing to specific indexers. The props/transforms will not have any reference to apps and summary indexing will have same host and sourcetype, so you'd need to override the TCP routing based on source which is the name of the summary index search. So what you need to do is to ensure that all summary index search from App1 should have same prefix (so that you don't have to update configuration every time you add a new search) and all summary index search from App2 should have same prefix which is different from App1's preefix. Lets say the prefix you chose is Prefix1 and Prefix2, then try something like this on your search head.

outputs.conf

[tcpout]
defaultGroup=allIndexers

[tcpout:allIndexers]
server=<indexer1_ip>:<port>, <indexer2_ip>:<port>

[tcpout:indexer1]
server=<indexer1_ip>:<port>

[tcpout:indexer2]
server=<indexer2_ip>:<port>

props.conf

[source::Prefix1...]
TRANSFORMS-sendIdx1= sendToIndexer1

[source::Prefix2...]
TRANSFORMS-sendIdx2= sendToIndexer2

transforms.conf

[sendToIndexer1]
DEST_KEY=_TCP_ROUTING
FORMAT=indexer1

[sendToIndexer2]
DEST_KEY=_TCP_ROUTING
FORMAT=indexer2
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...