Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge multiple index into single index?

jack_lai
Observer
‎01-29-2023 08:25 PM

Hi splunk god,


Have enquiry, i have an environment which heavyforwarder logs send to cluster indexer.
I need the below multi index merge into single index which is index_general.
Basically, when user search index_general and able to search all the logs contain in the three index.

1)Is this configuration feasible?

index_fw->index_general
index_window->index_general
index_linux->index_general

2)If yes, this configuration needs to be done on HF or Indexer?

3)if qns2 yes, which config file should be configured.

Labels (2)
0 Karma
Reply

jack_lai
Observer
‎01-30-2023 10:57 PM

How about if i got 2 cluster environments for example:

HF1->HF2>Indexer1
HF1->HF2>Indexer2

For Indexer1, the indexer should be able to query as per norm with 3 index.
For Indexer2, the indexer should be able to query with index_general.

I have tried other option which props/transform from sourcetype with _MetaData:Index in HF1, but this method affects the existing index and logs flow to Indexer1 as well.  Is there any alternative option or technically feasible?

0 Karma
Reply

manjunathmeti
Champion
‎01-29-2023 10:38 PM

hi @jack_lai,


1) Yes, this can be done. But there are 2 things to consider.
1.1. Searches will be slower as you move 3 index data to one.
1.2. Data size of index_general should be the sum of the data sizes of 3 indexes and data retention should be the maximum value of data retention values of 3 indexes.

2) You can update inputs.conf on forwarders to send data to index_general index. But this will work only for new data.

3) For existing data you can use the collect command to write data to the index_general index.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...