Deployment Architecture

How do I restrict searches to specific search peers by default and in saved and scheduled searches?

hoiby
Explorer

I have recently added an independent search head which performs distributed searches using two different search peers, lets call them Peer A and Peer B. I want queries from the search head to only use Peer A by default, and be able to search Peer B on demand by specifying in the search terms (e.g. splunk_server=* or splunk_server=PeerB). The Splunk documentation mentions this is possible, but following the links just takes me in circles and doesn't ever explain how to do it.

From Splunk 6.1.2 Documentation "When performing a distributed search from a search head, you can restrict your searches to specific search peers (also known as "indexer nodes") by default and in your saved and scheduled searches."

I've read that I can specify default indexes by role, but since I have recently connected two indexers with this new search head, some of the index names are the same (e.g. "main") and so it seems to make more sense to set defaults for searches by splunk_server rather than by index name.

How can I set the default search peer for distributed searches?

Do I have to rename the indexes and then use the role rules to accomplish this? If so, are there any pitfalls or caveats to renaming the main index?

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

The doc you are quoting means, you can restrict to specific peers by naming them in your search

index=blah sourcetype=foo splunk_server=YourSplunkServerA

That would restrict the search to just that peer. So restrict to rather than restrict from

What I believe you want is to create a distributed_search_group and create a "group of one". I have never tried it with one... so don't blame the messenger. 🙂

Here is the doc with an example: http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Distributedsearchgroups

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:A]
# This stanza lists the default group, which consists of one peer
default = true
servers = 192.168.1.1:8089

I don't think you have to account for the other server anywhere... but it will be available
to you if you specify, in this case splunk_server=192.168.1.2 only.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

The doc you are quoting means, you can restrict to specific peers by naming them in your search

index=blah sourcetype=foo splunk_server=YourSplunkServerA

That would restrict the search to just that peer. So restrict to rather than restrict from

What I believe you want is to create a distributed_search_group and create a "group of one". I have never tried it with one... so don't blame the messenger. 🙂

Here is the doc with an example: http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Distributedsearchgroups

[distributedSearch]
# This stanza lists the full set of search peers.
servers = 192.168.1.1:8089, 192.168.1.2:8089

[distributedSearch:A]
# This stanza lists the default group, which consists of one peer
default = true
servers = 192.168.1.1:8089

I don't think you have to account for the other server anywhere... but it will be available
to you if you specify, in this case splunk_server=192.168.1.2 only.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

hoiby
Explorer

Thanks for the advice, it looks to be exactly what I needed. Not sure how I missed that, its right there in the distributed search documentation... ><

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Great! Glad another pair of eyes was helpful. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...