Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Distrubuted search across specific data

Hazel
Communicator
‎06-08-2010 11:14 AM

Hello,

We currently have a Splunk setup as follows

  • UAT: Three indexers (NY, LDN, SGP), each collect data from forwarders in their regions and then searches from each region also distribute across the other two regions, allowing us to get global data from each search head.

  • Prod: Similar setup to UAT.

The problem I have now is that I have some servers that are both my UAT and my Disaster Recovery for Production. They contain some files for UAT, which I want to search in UAT Splunk and some files for DR that I want to search in my Splunk Production.

I know that we could tell our Splunk Production to do a distributed search across UAT servers also in order to get the DR data i need, but I don't really want all UAT data also in Production, is there a way to limit it?

Is there a way to tell our Splunk Production to a distributed search across specific indexes on a server so I can get just some of the data currently going to UAT (ie the DR data) into Splunk Production without taking it all?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-08-2010 02:27 PM

Regardless of what server the data comes from, the default and allowed indexes will be defined by roles on the search head. So perhaps it will be possible to name your indexes differently across the various systems and to have DR data in a differently-named index that is nevertheless in the default search for a role.

If you can't have multiple indexes, or ones with different names, you could perhaps achieve something similar with the role search filters, which are also applied according to roles on the search head.

Reply

Hazel
Communicator
‎06-15-2010 09:22 AM

I still don't understand this. They are in different indexes, but they are on different indexers, reporting to different search heads... so how can this work?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-14-2010 12:10 PM

Put the data that must be accessed differently in different indexes, and configure the default indexes for each role (on each search head) to query a different set of indexes as appropriate.

0 Karma
Reply

Hazel
Communicator
‎06-14-2010 07:58 AM

This answer has been voted up but it does not answer my question. The answer relates to splitting out data over a search head but my question relates to data that is sent to different search heads.

0 Karma
Reply

Hazel
Communicator
‎06-08-2010 03:05 PM

Hi, I'm not sure I understand your answer. The issue here as that the UAT data is indexed to one server and available on one search head and the Production data is indexed to one server and availabled on the Production search head. UAT and Production are not connected, they are different systems and setups. But, I need to get my UAT data, into the Production searches

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...