Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is 'collect' not adding to a summary index on a search head cluster?

splunkto
Explorer
‎03-23-2017 12:50 PM

I have a query where at the end I specify "| collect index=foo sourcetype=bar" and the results go into that index on a standalone search head. When I do the same on the cluster, it does not go to the index. Additionally the search head complains that it received an event for an unconfigured/disabled/deleted index=foo like it is attempting to write the data locally.

What do I need to do to the search head cluster so it targets the indexers when writing summary indexes instead of locally?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-23-2017 01:42 PM

On a search head cluster, summary data must be forwarder to the indexer tier. This is a best practice for all search heads, but required for clustered search heads.

Here is a link to the documentation - Best practice: Forward search head data to the indexer layer

Create the summary index on each indexer, and follow the documentation directions to make each search head forward to the indexer tier.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-23-2017 01:42 PM

On a search head cluster, summary data must be forwarder to the indexer tier. This is a best practice for all search heads, but required for clustered search heads.

Here is a link to the documentation - Best practice: Forward search head data to the indexer layer

Create the summary index on each indexer, and follow the documentation directions to make each search head forward to the indexer tier.

Reply
Solved! Jump to solution

splunkto
Explorer
‎03-23-2017 02:06 PM

I just found this right before you posted.

The following is what I was missing on the cluster:
[indexAndForward]
index = false

After that it seems to add to the summary index properly now.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...