Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Distributed Summary indexing - Search head and indexer on 4.2

Starlette
Contributor
‎03-15-2011 03:29 PM

Hai there,

How do have to deal with this on 4.2? Cause in 4.2 you have to run the search head as a member of the pool ( slave license node) ( http://www.splunk.com/base/Documentation/latest/Deploy/Installadedicatedsearchhead )

I am rolling out now this setup with the cisco security app, and am not sure how to go on. * want custom summary indexes btw, from the cisco security app due rolles/users.

pre 4.2 answers :

http://answers.splunk.com/questions/7810/app-installation-scheduled-searches-summary-index-and-searc...

http://answers.splunk.com/questions/5837/summary-indexing-on-a-search-head

http://answers.splunk.com/questions/8613/distributed-summary

thanks!

0 Karma
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎07-29-2014 03:11 PM

The Information provided above for Summary Indexing is true in Splunk Clustered environment.

Below are the steps that I used to test it in my Clustered environment on Splunk version 6.0.4.

In my clustered test environment I have Cluster master (Name:CM604) Cluster peer 1 (Name :peer1604) Cluster peer 2 (Name :peer2604) Search Head 1 (Name sh604) Search Head 2 (Name sh2604)

1) Search Head 1 is setup to "forwarder" all the data to the Cluster Peers.
2) For my test - used index=testsummary for summary indexing.
3) Deployed custom index=testsummary from cluster master to cluster Peer Using indexes.conf).
4) Create custom index on "Search Head 1 " where summary Indexing is to be performed.
5) Defined Saved search on "Search Head 1 " , which will use custom index= testsummary for summary indexing. The "search head 1" Perform summary and forward the data to the Cluster Peers.
6) This data is searchable from both "Search Head 1 " and "Search Head 2 "

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2013 03:49 PM

for summary indexing, in a distributed environment, you need :

  • the summary index created on the search-head and on every indexers
  • the search head configured to forward all the data to the indexers (load balancer if needed), see manager > forwarding
  • the app and summary searches installed on the search-head.

The populating searches will run on the search-head, the results be written to the local spooler, then monitored, parsed locally, then forwarded to the indexers and stored on the indexes on the indexers.
Then when searching on the summarized data, it will act like a distributed search, and the results will be returned by the indexers.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...