...ssentially on indexing capacity, even though it's less than 100Go daily (our licence allows 80Go) andsearch load is really low. So we have : - 1 Search Head - 2 indexers (no cluster) The search head a...
Hello,
I'm looking to set up our search head to send summary index data it generates back to our indexers in a distributed environment.
I found the following question, and I understand the t...
I have a single indexer and single search head with the indexer attached as a search peer and I created one index called "winevent" on the indexer.
I don't understand why the search head cannot s...
Hi,
I am doing statistical analysis on a number of indexes for time series forecasting.
On reading the following article, its gives a sample SPL query as follows: | gentimes start=”01/01/2018" i...
I have a single instance splunk (splunk A). now I want to do distributed search contain 1 indexer (splunk A)+ 1 search header (splunk B) and use the existing Splunk enterprise (splunk A) as the index...
Say I have two indexers in two different datacenters, and I want to distributesearches across the WAN/VPN/Internet between them. What kind of bandwidth is necessary for optimal search performance? F...
...alue combinations and 10's of millions of dups, across a few dozen indexers. The results distribution is likely to be neither sparse nor dense, but long-tail - a few combinations will predominate, w...
Hi,
In a distributed mode with 1 search head and 4 indexers, when making a search through the search head, 2 of the for 4 indexers are not showing indexed data except internal logs of other S...
It looks like indexes on both nodes are updated with the same entries. Does distributed indexing load andindex the same data from a source to both indexers?
UPDATE
It turns out that I've c...
I am testing our new indexer cluster using our existing search head. I added the indexer cluster servers to "dist_search" and created an indexer group so I can search just the cluster. However, a...