Re: summary index on search head not showing all t...

vadud3 · ‎01-20-2012

When I search for index=summary in search head, the result
only shows one of the server in splunk_server field. But I have 3 indexers.
Shouldn't I see all the indxers name in the splunk_server field?

dshpritz · ‎01-20-2012

Hey vadud3,

The summary index is actually an index stored on the search head, and as such is going to show the search head as the indexer responsible for the answer. You would need to have a field in your summary data which shows the original indexer. If you have 3 indexers, you may also want to think about forwarding all of your indexes off of the search head, such that no indexing is done on the search head, thus taking advantage of your distributed setup.

HTH

Dave

dshpritz · ‎01-21-2012

Is the indexer showing up in the results the search head or one of the indexers? You may want to look into using the metadata search command to dig into what data is on what search head:
http://docs.splunk.com/Documentation/Splunk/latest/searchreference/metadata

Dave

vadud3 · ‎01-20-2012

That is how I have it setup. But I am wandering why one of the indexer shows up in splunk_server list ?

summary index on search head not showing all the indexers in splunk_server field

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

summary index on search head not showing all the indexers in splunk_server field

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!