Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see data from a specific indexer

tzhmaba2
Path Finder
‎02-21-2011 04:08 PM

Hi,

Is there a way to search for data which has been sent to a specific indexer? I want to make a test (to check our recover scenario):
- stop one indexer (even power off now)
- unmount the SAN LUN whith index data and mount this LUN to another indexer
- start splunk and clean or reindex the index
- see if the data from the "broken" indexer are correctly seen on the test indexer.

Any ideas?

Best regards, Bartosz Maruszewski

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Brian_Osburn
Builder
‎02-21-2011 04:48 PM

You should have a field called "splunk_server", that's what indexer it came from.

You should be able to search / display based on that.

Brian

View solution in original post

Reply
Solved! Jump to solution

jdunlea_splunk
Splunk Employee
Splunk Employee
‎12-08-2011 12:51 AM

Do you know is there a way that we can tell a search to only distribute to a specific indexer? - The above solution will indeed show results from only one indexer. But i believe that the search is still distributed to all indexers, but only SHOWS results from the indexer specified.

I am hoping to find a way to limit what indexer(s) the search is initially distributed to.

Can anyone help here???

Thanks!

John

0 Karma
Reply
Solved! Jump to solution
Solution

Brian_Osburn
Builder
‎02-21-2011 04:48 PM

You should have a field called "splunk_server", that's what indexer it came from.

You should be able to search / display based on that.

Brian

Reply
Solved! Jump to solution

tzhmaba2
Path Finder
‎02-24-2011 09:54 AM

Thanks very much!

0 Karma
Reply
Solved! Jump to solution

Brian_Osburn
Builder
‎02-22-2011 06:11 PM

Its the indexer where the data was sent to from the forwarder.

0 Karma
Reply
Solved! Jump to solution

tzhmaba2
Path Finder
‎02-22-2011 10:53 AM

Thanks!

One more question: What is the value of this field: -the indexer hostname where the data got indexed originally or -the indexer hostname from which the data was sent to the search head for the current search?

Best regards,
Bartosz Maruszewski

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...