Hai there,
How do have to deal with this on 4.2? Cause in 4.2 you have to run the search head as a member of the pool ( slave license node) ( http://www.splunk.com/base/Documentation/latest/Deploy/Installadedicatedsearchhead )
I am rolling out now this setup with the cisco security app, and am not sure how to go on. * want custom summary indexes btw, from the cisco security app due rolles/users.
pre 4.2 answers :
http://answers.splunk.com/questions/5837/summary-indexing-on-a-search-head
http://answers.splunk.com/questions/8613/distributed-summary
thanks!
The Information provided above for Summary Indexing is true in Splunk Clustered environment.
Below are the steps that I used to test it in my Clustered environment on Splunk version 6.0.4.
In my clustered test environment I have Cluster master (Name:CM604) Cluster peer 1 (Name :peer1604) Cluster peer 2 (Name :peer2604) Search Head 1 (Name sh604) Search Head 2 (Name sh2604)
1) Search Head 1 is setup to "forwarder" all the data to the Cluster Peers.
2) For my test - used index=testsummary for summary indexing.
3) Deployed custom index=testsummary from cluster master to cluster Peer Using indexes.conf).
4) Create custom index on "Search Head 1 " where summary Indexing is to be performed.
5) Defined Saved search on "Search Head 1 " , which will use custom index= testsummary for summary indexing. The "search head 1" Perform summary and forward the data to the Cluster Peers.
6) This data is searchable from both "Search Head 1 " and "Search Head 2 "
for summary indexing, in a distributed environment, you need :
The populating searches will run on the search-head, the results be written to the local spooler, then monitored, parsed locally, then forwarded to the indexers and stored on the indexes on the indexers.
Then when searching on the summarized data, it will act like a distributed search, and the results will be returned by the indexers.