Solved: How to see data from a specific indexer

tzhmaba2 · ‎02-21-2011

Hi,

Is there a way to search for data which has been sent to a specific indexer? I want to make a test (to check our recover scenario):
- stop one indexer (even power off now)
- unmount the SAN LUN whith index data and mount this LUN to another indexer
- start splunk and clean or reindex the index
- see if the data from the "broken" indexer are correctly seen on the test indexer.

Any ideas?

Best regards, Bartosz Maruszewski

Brian_Osburn · ‎02-21-2011

You should have a field called "splunk_server", that's what indexer it came from.

You should be able to search / display based on that.

Brian

View solution in original post

jdunlea_splunk · ‎12-08-2011

Do you know is there a way that we can tell a search to only distribute to a specific indexer? - The above solution will indeed show results from only one indexer. But i believe that the search is still distributed to all indexers, but only SHOWS results from the indexer specified.

I am hoping to find a way to limit what indexer(s) the search is initially distributed to.

Can anyone help here???

Thanks!

John

Brian_Osburn · ‎02-21-2011

You should have a field called "splunk_server", that's what indexer it came from.

You should be able to search / display based on that.

Brian

tzhmaba2 · ‎02-24-2011

Thanks very much!

Brian_Osburn · ‎02-22-2011

Its the indexer where the data was sent to from the forwarder.

tzhmaba2 · ‎02-22-2011

Thanks!

One more question: What is the value of this field: -the indexer hostname where the data got indexed originally or -the indexer hostname from which the data was sent to the search head for the current search?

Best regards,
Bartosz Maruszewski

How to see data from a specific indexer

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor