Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do i create indexs on Search head or on each indexer on non cluster envioment

smdasim
Explorer
‎08-11-2018 11:54 PM

Hi,

We have a indexer{2 indexers] in our environment, 2 fowarder and 1 search heads. If we create indexes on a search head using GUI will the configuration for these be reflected in indexers?

Please advice detailed steps to create indexs in a simple splunk envioment with 1 Search head ,2 Fowarders and 2 Indexers .

Regards
smdasim

Tags (1)
0 Karma
Reply

afroz
Path Finder
‎08-12-2018 02:45 AM

Hi,

Create indexes in each indexer at /etc/apps folder.

From search head go to settings - search peers--> add indexers with management port.

Forward data from forwarders to indexers directly.

Logs will be searchable from search head. No need to create index in search head. Just add indexers in search peers of search head as explained above.

Reply

renjith_nair
Legend
‎08-12-2018 01:22 AM

@smdasim,

There is no difference in the splunk software for search head and index. Its the configuration what it make the difference and assign the roles.

Indexes created on search head do not transfer to indexers automatically. You need to create index on the indexers manually or use a deployment server to push the indexes.conf automatically.

Since its a distributed architecture, you could decide which data goes to which indexer and index and based on that you can create index on specific indexers using Splunk Web or cli or using indexes.conf

Here is a detailed documentation about creating index in distributed environment.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Setupmultipleindexes#Create_and_edit_event...

Also its recommended to send search head data also to indexers . Detailed steps are available in
https://docs.splunk.com/Documentation/Splunk/7.1.2/DistSearch/Forwardsearchheaddata

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...