Splunk ITSI

ITSI installation

ramarcsight
Explorer

I have a Search Head called JOHN
- it has several search peers connected to it in distributed environment , it has around 100 Search Peers

-so EMMA search peer 1 and EMMA search peer 2 are both connected to JOHN along with another Search Peers
So now i am trying to install ITSI app in SH -JOHN
- but the indexes that r created by ITSI APP itsi_summary,
anomaly_detection etc., - shd be only written into EMMA SEARCH PEERS 1 and 2 but not in all search peers connected to JOHN.

So by placing SA-IndexCreation in only Emma indexer 1 and indexer 2 can we achieve dis ??

IS that possible?

Tags (2)
0 Karma
1 Solution

lloydknight
Builder

Hello @ramarcsight

Assuming your Indexers are clustered:
Given that data will be replicated on Index Clustering, try this link below to disable replication to specific peers (your EMMA search peer 1 and EMMA search peer 2).
https://answers.splunk.com/answers/376042/is-it-possible-to-disable-replication-to-specific.html

Assuming your Indexers are non-clustered:
Try to forward your data on the EMMA Indexer 1 and EMMA Indexer 2 only.
Check this link below:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad#Filter_data_by_target_i...

Related questions on this case:
https://answers.splunk.com/answers/55131/specific-index-forwarding-to-external-index-tier.html
https://answers.splunk.com/answers/124648/how-to-send-only-certain-indexes-from-a-search-head-to-the...

Hope it helps!

View solution in original post

lloydknight
Builder

Hello @ramarcsight

Assuming your Indexers are clustered:
Given that data will be replicated on Index Clustering, try this link below to disable replication to specific peers (your EMMA search peer 1 and EMMA search peer 2).
https://answers.splunk.com/answers/376042/is-it-possible-to-disable-replication-to-specific.html

Assuming your Indexers are non-clustered:
Try to forward your data on the EMMA Indexer 1 and EMMA Indexer 2 only.
Check this link below:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad#Filter_data_by_target_i...

Related questions on this case:
https://answers.splunk.com/answers/55131/specific-index-forwarding-to-external-index-tier.html
https://answers.splunk.com/answers/124648/how-to-send-only-certain-indexes-from-a-search-head-to-the...

Hope it helps!

akhil36109
New Member

Hello Hi

The thing is EMMA1 and EMMA2 has thier own Cluster master ,so how to create SA-IndexCreation Indexes in only Emma1 and Emma2??

0 Karma

ansif
Motivator

Indexer clustered?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...