Getting Data In

Should a summary index be created on both Search Head and Indexer?

jagadeeshm
Contributor

I created a new index (test_summary) in the Indexer for storing summary data.

Then I created a new report in Search Head and enabled it for Summary Indexing. At the time of enabling, you normally have to pick your summary index from "Select the Summary Index" drop-down. The drop-down was showing the new index (test_summary) that created in the Indexer.

When the summary job was triggered out of the report, I started seeing error message in the Search Head saying:

test_summary index was either disabled/deleted or does not exist

Do we need to create the index in the Search Head as well? I don't think we would want to maintain the summary indexed data on the Search Head.

Any advice?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi jagadeeshm,

It might sound strange, but yes you need to add the index to the search head as well.

Don't worry about storing data on the search head, because if you setup data forwarding on your search head and tell Splunk just to forward the local event and not to store it you will have no local summary data on the search head.

See the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/Forwardsearchheaddata about the best practice to forward logs from search heads to the indexers. The option indexAndForward = false is the one which prevents Splunk from keeping a local copy of your events.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi jagadeeshm,

It might sound strange, but yes you need to add the index to the search head as well.

Don't worry about storing data on the search head, because if you setup data forwarding on your search head and tell Splunk just to forward the local event and not to store it you will have no local summary data on the search head.

See the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/Forwardsearchheaddata about the best practice to forward logs from search heads to the indexers. The option indexAndForward = false is the one which prevents Splunk from keeping a local copy of your events.

Hope this helps ...

cheers, MuS

jagadeeshm
Contributor

@MuS - Thanks for the quick reply. Yes, it is a bit strange that it shows the index created on the Indexer in the Search Head dropdown but doesn't actually store in there. Is this the most common and best approach to create Summary Indexes?

0 Karma

jagadeeshm
Contributor

I created the outputs.conf here - /opt/splunk/etc/apps/SplunkForwarder/local. Is this correct?

0 Karma

jagadeeshm
Contributor

Where am I saying that forward events of test_summary ony?

0 Karma

MuS
SplunkTrust
SplunkTrust

If you only want to forward events for the summary index, you need to apply some route and filtering http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad but why would you do that? Forward everything, specially the _internal events you will need them in case of troubleshooting 😉

0 Karma

jagadeeshm
Contributor

If I set a forwarder NOW, will it forward EVERYTHING from Search Head to the Indexer? Or is it only for the events moving forward?

0 Karma

MuS
SplunkTrust
SplunkTrust

You will get the internal and summary from the moment you enable the forwarding on the search heads. What are your concerns? It will not effect your license usage, since internal logs and summary event do not count against your license usage.

0 Karma

jagadeeshm
Contributor

I am not worried about the license. As soon as I created the test_summary index on the Search Head I started seeing the summary data in there. I was wondering now that I enabled forwarding on the Search Head, will it forward everything from the test_summary index from the Search Head to the Indexer or is it just for the events moving forward only?

0 Karma

MuS
SplunkTrust
SplunkTrust

As I said, it will not create anything on the search head in the summary index - all events are forwarded to the indexers.

0 Karma

jagadeeshm
Contributor

Another question - Summary Indexing doesn't take up license usage. But when this data is forwarded to the Indexer, does it take up additional usage? That will be REALLY bad!

0 Karma

MuS
SplunkTrust
SplunkTrust

Please accept this answer if it solved your problem - thanks 🙂

0 Karma

jagadeeshm
Contributor

My summary index is configured to run every hour and summarize the data the hours before. Like described in the document, I have the forwarding enabled in the Search Head for all events.

However, my events in the summary index on the indexer are at least 4 hours behind.

How to debug this situation further?

0 Karma

jagadeeshm
Contributor

Before the forwarding was enabled, my scheduled Report for summarizing ran twice and i had events sitting in the Search Head. After the forwarding was set-up, it looks like new events are being forwarded to the Indexer, but how can I get the exiting ones also into the Indexer?

0 Karma

MuS
SplunkTrust
SplunkTrust

No, summary index events do not count against the license usage - from the docs http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configuresummaryindexes :

Summary indexing volume is not counted against your license, even if you have several summary indexes. In the event of a license violation, summary indexing will halt like any other non-internal search behavior.
0 Karma

jagadeeshm
Contributor

Perfect, Thanks!

0 Karma

jagadeeshm
Contributor

I enabled the forwarding like I mentioned in the doc, but I don't see my events flowing to Indexer...what is the best way to validate this ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...